EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: Fungus on August 31, 2018, 06:06:03 pm
-
Latest unlocking instructions are in this post:
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828)
-
plus a video will be great.
start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
-
Ian posted the most concise instructions for the bandwidth upgrade in that thread:
1. Update with the OS update with the known root password.
2. telnet to the scope, and log in as root.
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
I don't think there has been a definitive consensus on unlocking the other options without option codes?
-
plus a video will be great.
start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
Yep like that and similar for SSA too.(mentioned in SSA hack thread)
There are other/better ways too. :-X
-
Ian posted the most concise instructions for the bandwidth upgrade in that thread:
1. Update with the OS update with the known root password.
a) Which you get.... where?
b) How do you install it?
2. telnet to the scope, and log in as root.
a) Telnet port #?
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.
To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)
I don't think there has been a definitive consensus on unlocking the other options without option codes?
You mean the "software" part of the AWG, MSO and WiFi options?
-
Here was my process
1.) Format a USB flash drive to FAT32
2.) Load the flash drive with the SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18) by downloading it from the Siglent website (https://www.siglentamerica.com/download/6422/) and unzipping it onto the flashdrive.
3.) Once the file is loaded, install the firmware onto the oscilloscope by following the instructions in the PDF included in the firmware zip file. Verify the correct firmware version is installed using the menus within the Utility button, and take note of the model number (should read SDS1104X-E)
4.) Once the firmware has been installed on the scope, reformat the flash drive to FAT32 and unzip the SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18) after downloading it from the Siglent website (https://www.siglentamerica.com/download/6158/).
5.) Install the software update onto the oscilloscope by following the instructions in the PDF included in the firmware zip file. Reboot the scope and verify the correct software version is installed using the menus within the Utility button.
6.) Download the custom operating system file (https://www45.zippyshare.com/v/SEUJEWE1/file.html) that possesses the known telnet password. Unzip it onto a USB drive and install it just as you installed the stock software file from the Siglent website. NOTE: Some computers do not correctly load the software file onto the USB drive, thus preventing the scope from updating from the stock software to the custom software. I have experienced this problem personally. If this occurs, try loading it onto the USB from a different computer. I had success using a Raspberry Pi to load the custom software onto the USB.
7.) After installing the custom software, plug the oscilloscope into your router with an ethernet cable, and telnet into the scope on port 23 using the known password.
8.) Once in the scope via telnet, execute the following commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
9.) Reboot the scope, and verify that the model number displayed in the Utility button menus has been updated to show an SDS1204X-E
Now the scope should have 200MHz bandwidth. I have verified that mine possesses this bandwidth using a very reliable, stable signal generator (Fluke 6061A)
EDIT: Thanks ian.ameline for the link to a download source for the custom software. I have updated step 6 with this information.
-
The OS with the known password can be found here; https://www45.zippyshare.com/v/SEUJEWE1/file.html
The instructions above are accurate.
-
Ian posted the most concise instructions for the bandwidth upgrade in that thread:
1. Update with the OS update with the known root password.
a) Which you get.... where?
b) How do you install it?
2. telnet to the scope, and log in as root.
a) Telnet port #?
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.
To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)
I don't think there has been a definitive consensus on unlocking the other options without option codes?
You mean the "software" part of the AWG, MSO and WiFi options?
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.
- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
-
Does this work for the SDS1102X ?
Presumably it would need different hacked software?
-
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
Nice attitude.
Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).
- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.
Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.
Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.
If it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.
Food for thought, yes?
- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:
(and what happens when Siglent removes that old firmware from their web site?)
PS: Nowhere near as easy as a Rigol (neener neener).
-
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
I'm, not at all linux expert (far away) so I can not my self think when it is important exactly and when not, so I use it nearly always. In some cases it is extremely important, in some cases perhaps not so important and always we can try walk with just trusting good luck.
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
sync
4. Reboot
Perhaps some who really know could take position to this with reasoning.
-
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.
(take note, ian.ameline).
-
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.
(take note, ian.ameline).
Just because this bolded...
-
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
Nice attitude.
Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15. L=23
-
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15. L=23
I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
-
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15. L=23
I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
Yes, and if this FM would not mention port, then obviously, the less than experienced user would not write it in the command either, so the command ends up using the default port, which thus works. A more experienced user would already know that if the port is the default, it is typically left out from instructions, (and that if it is not default, it is shown). Thus, the earlier version without the port number was quite sufficient, and this nitpicking about port number is just that, useless nitpicking.
Otherwise :-+, points for making the push to get those instructions done clearly in one place, instead of the typical spread of bits and pieces in here and there over 3 threads and 10 pages among all the other messages. Certainly makes it easier than before.
-
Sometimes it is easy forget that not all peoples have used telnet at 80's ;)
So it is perhaps good to tell (but also most of good telnet client do it as default, as example many times recommended PuTTY or just plain puttytel.exe (a Telnet-only client) )
-
http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)
If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.
There -- now my attitude is clear.
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
Nice attitude.
Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).
- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.
Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.
Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.
It it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.
Food for thought, yes?
- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:
(and what happens when Siglent removes that old firmware from their web site?)
PS: Nowhere near as easy as a Rigol (neener neener).
What if purple monkeys fly out of my ass? What if, what if, what if.
You asked for the hack -- we gave it to you. Now you complain. Again, you probably should take up golf instead.
Cheers...
-
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.
(take note, ian.ameline).
Good point -- I tend to assume people around here who poke around with electrons aren't lazy idiots, and research perhaps even a little background knowledge before poking their meat-probes at things they may have little experience with -- clearly an unexamined assumption -- google must be too hard to use.
But in the case here, buffers are flushed pretty quickly -- you'd need to power cycle within milliseconds to have a problem, and even then, you'd have to get really unlucky (in a microsecond wide window) to get an inconsistent state in the flash. I doubt you could make it happen by trying.
-
http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)
If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.
Um, the question was whether Siglent uses the standard port, not if I (or somebody who doesn't spend their lives using green-screen Linux) can google what the standard port is.
There -- now my attitude is clear.
Crystal.
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
Why lazy people should be fed.
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
Let's just say that if you are a regular eevblog reader, you are typing the password every day.
As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.
-
As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.
I'm more worried that in the future the 'scope might not default to 200Mhz when the bandwidth.txt file is missing.
(eg. it could just as easily default to 50MHz... :popcorn: )
-
Although I disagree with the way the OP has been conducting this process, I would like to add my 2 cents to the benefit of the whole forum:
All must realize that the method described previously (removing the bandwidth.txt) triggers the activation of the PRO_MODE in the scope (which is the "Production Mode"). This mode enables all the Options and the BW to the max possible.
This mode can, in fact, be easily disabled in future FW versions and/or Siglent can change it to trigger the activation of the lowest BW instead of the highest. Maybe they use the highest precisely to evaluate the full potential of the equipment before leaving factory...
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.
I leave a small "easter egg" attached that does the following:
sync
mount -o sync,rw,remount /usr/bin/siglent/firmdata0/
sync
mv /usr/bin/siglent/firmdata0/bandwidth.txt /usr/bin/siglent/firmdata0/bandwidth.bak
sync
mount -o sync,ro,remount /usr/bin/siglent/firmdata0/
sync
which means it replaces all the steps described previously in this thread without the need to change FS root password, etc.
Execute it as a normal update. It should be run after the scope is running and you should reboot after. For security reasons it won't overwrite any existing bandwidth.bak so that you can keep the original (in case people run it multiple times).
-
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es....................
Warning: The PP510 (https://store.siglentamerica.com/product/pp510-1000-mhz-oscilloscope-probe/) probes that are supplied with the SDS1104X-E are 100MHz probes. If you intend to make use of the 200Mhz bandwidth then you need to spend an extra $100 and get a set of real 200Mhz probes, eg. the PP215 (https://store.siglentamerica.com/product/pb215-150-mhz-oscilloscope-probe/) probes that are supplied with the SDS1204X-E.
If you don't do this then you won't have 200MHz bandwidth and you may get misleading readings on screen. You have been warned.
Scaremongering BS ! :bullshit:
Some ppls just don't/won't do their homework ! ::)
Or don't have a clue. :-//
It is clearly seen PP510 and PP215 probe performance combined with scope performance is well within system specification !
(https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/?action=dlattach;attach=397963)
From this post:
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665 (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665)
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
Then this not for those everybody.
"If you don't know the password, you are not qualified to hack your equipment!"
Password is our signature and made for us only. We don't speak about it loud everywhere.
You must be one of us. If you are, you have been here and you know things. If not...
you are not qualified to hack your equipment.
And even if strangers outside can use them, they can't spread them without our mark.
If this is too much asked and you just need all options and bandwidth, buy them!
-
By the way, those "ZippyShare" links are not working at all for me (in my region). Don't know if I need VPN for this or not. If someone can provide me the file, I can try to put on another shared folder for plp with my issue... Thanks!
-
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.
Okay, I'm attempting to follow this alternative path to unlock my brand new 1104X-E (delivered w/ 7.1.6.1.25R2) and I've encountered a problem/questions.
I loaded SS1004X-E_OSV1_EN_eevblog on a thumbdrive, and uploaded my scope.
I logged in via telnet, and executed the following:
cd /usr/bin/siglent/usr/mass_storage/U-disk0
cat /dev/mem > memdump.bin
this yields an error:
cat: read error: Bad address
the resulting file:
/usr/bin/siglent/usr/mass_storage/U-disk0 # ls -l memdump.bin
-rwxr-xr-x 1 root root 251658240 Jan 1 00:22 memdump.bin
so I end up w/ a file 240MB in size (240*1024*1024)
yielding the question
(1) "is this expected?" (e.g. both the error, and the resulting file size.)
If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So
(2) does anyone know what the license codes actually look like (e.g. should they be hexadecimal only? or can they include non-hex alphanumerics?)
(3) should I be attempting to enter the codes at this point, or should I be doing something else before I attempt it (e.g. perform a different update, etc.) and THEN try the codes?
Thanks,
Vin
-
1. :-+
2. See my example.
3. Try codes.
-
Of the 90+ sets of upper or lowercase characters/digits, only 6 appear to be random -- the remaining contain English words, which makes me believe they are part of the OS.
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
-
If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So
Any chance you could share how you run the memdump.bin in the C# script?
Thank you :-)
-
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.
But they could be BW licenses... ;)
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
You're getting there! If you carefully RTFM it suggests: "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
-
Any chance you could share how you run the memdump.bin in the C# script?
:wtf: Have you even looked at the script?
byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
-
Any chance you could share how you run the memdump.bin in the C# script?
:wtf: Have you even looked at the script?
byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
Of course I have looked at the the script :-) I am not a programmer apart from some arduino stuff. I am sorry.
-
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace TestApp
{
class Program
{
static void Main(string[] args)
{
byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");
for (int j = 0, l = 0; j < 2; j++, l += 0x20)
for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
buffer[i] != ('L' + l) &&
buffer[i] != ('O' + l))
{
if (strSize == 16)
Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
strSize = 0;
strStart = i + 1;
}
else strSize++;
Console.ReadKey();
}
}
change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
-
If you carefully RTFM it suggests: "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
I did see this, but I'm having a difficult time grokking exactly what you mean.
Assuming I have the following:
0819ABBB 8ki7-axhk-yilk-bdgy
0819ABDB 8ki7-axhk-yilk-bdgy
0819ABFB 8ki7-axhk-yilk-bdgy
I interpreted the clause as meaning I should try "yilk-bggy-8ki7-axkh' in addition (which didn't work).
I also tried "axhk-yilk-bdgy-8ki7" and "bdgy-8ki7-axhk-yilk" without success.
Or, should I be trying all combinations, e.g. ki7a-..., i7ax..., 7axh..., shifting each character at a time, like a rotate w/ carry?
Is there an easier way to try license codes, other than keying them in though the intensity/adjust/select dial (e.g. through the telnet interface?)
-
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace TestApp
{
class Program
{
static void Main(string[] args)
{
byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");
for (int j = 0, l = 0; j < 2; j++, l += 0x20)
for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
buffer[i] != ('L' + l) &&
buffer[i] != ('O' + l))
{
if (strSize == 16)
Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
strSize = 0;
strStart = i + 1;
}
else strSize++;
Console.ReadKey();
}
}
change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help 8)
-
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help 8)
For some real fun, check out these GitHub repositories:
https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys
Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
-
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)
Skill level: Easy/Moderate
Risk: Slim to none.
Assumptions: You know the root password to your scope.
Steps:
1. download full armv7l version of busybox which has core dump enabled.
see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l
2. put version on thumb disk
3. reboot scope to known state
4. telnet to scope and log in as root
5. insert usb stick
6. copy busybox binary from usb to /tmp:
cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp
7. unmount and remove usb
umount /usr/bin/siglent/usr/mass_storage/U-disk0
(and then remove usb stick)
8. identify and kill existing sds1000b.app
ps -ef | grep sds | awk '{printf "kill -9 %s\n", $1}' | ash
9. change to /tmp directory:
cd /tmp
10. launch new busybox ash shell
/tmp/busybox_armv7l ash
(when you press enter it looks like nothing happens, but something does)
11. re-launch scope app in new busybox environment in background
/usr/bin/siglent/sds1000b.app &
12. increase core dump ulimit to unlimited:
ulimit -c unlimited
you can verify new limit by typing
ulimit -c
and you should get a response "unlimited"
12. kill scope app again, telling OS to create a core dump of the app:
ps -ef | grep sds | awk '{printf "kill -ABRT %s\n", $1}' | ash
13. wait a few seconds, and press enter once or twice. you should see:
[1]+ Aborted (core dumped) /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3
14. verify core dump is in /tmp:
ls /tmp/core*
you should see something like this:
-rw------- 1 root root 377511936 Jan 1 00:14 /tmp/core
if not, you did something wrong, go to step #3
15. exit out of usb version of busybox shell
exit
(it will look like nothing happens when you press enter, but, something does)
16. re-launch Siglent scope application. See Step #11
17. insert usb drive
18. copy core dump to thumb drive
cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)
19. unmount usb stick and remove (see step #7)
20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.
21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.
22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.
23. You can license a different bandwidth by typing MCBD (license key) at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.
24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.
25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.
26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.
27. Write keys down in a safe place so you do not lose them again.
-
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course).
...
27. Write keys down in a safe place so you do not lose them again.
I promise I won't lose my keys again. ;D
-
Thanks for all the info posted here and in the firmware thread. The sample code really helped show me where in the memory dump to look for things and how they are stored. I can see patterns related to the restored keys location and surrounding data, hoping to make sense of it and then make the key backup better/easier.
Some tips...
1) A simple memdump is all you need to grab for trying to backup your keys. (In my case I didnt have to do a coredump)
2) The FindKeys/TryKeys code works very well.
3) Backup the whole "siglent" folder to your USB stick just in case.
I got sidetracked and started digging into the firmware files.
The webserver is very interesting, its lighthttpd with php 5.
They made a custom c module (.so) to handle communicating between the web front end and the hardware. AJAX scpi commands + more is possible.
Did you know, to change from english to chinese they do a file copy/move of php files around ? interesting.
The visual is via a custom/modified VNC server with websockets support. On the client its using the noVNC library, which for some reason has a quicker refresh rate and much faster updates than a real vnc client.
-
I posted this in the general SDS1104/1204X-E thread, but was directed here. If you have a memory dump from their SDS1000X-E and want to parse it for keys, the Python function to do it. It works with all dumps from my oscilloscope (1104X-E), but I only have the one. It'd be great to hear if it works for others.
import re
import string
def getkeys(scopeid, serialno, memdumpfile):
"""
Parse a memory dump from a Siglent 1000X-E oscilloscope and return a dict containing
license keys for bandwidths and options. The 'activebw' key is the one that is currently
active in the 'scope (e.g. if the value of '100M' is the same as the value of 'activebw',
the oscilloscope is software locked to 100 MHz bandwidth)
"""
if len(scopeid) == 16 and set(scopeid) <= set(string.hexdigits):
scopeid = scopeid.lower().encode('utf-8')
else:
raise ValueError('Scope ID must be 16 hexadecimal characters (remove dashes).')
if len(serialno) == 14 and set(serialno) <= set(string.ascii_letters + string.digits):
serialno = serialno.upper().encode('utf-8')
else:
raise ValueError('Serial number must be 14 alphanumeric characters.')
f = open(memdumpfile, 'rb')
data = f.read()
f.close()
regex_bw = re.compile(scopeid + b'.*?'+ scopeid + b'.*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16})', re.DOTALL)
regex_opt = re.compile(serialno + b'.*?' + serialno + b'.*?([0-9A-Z]{48})', re.DOTALL)
key_bw = list([n.decode('utf-8') for n in re.findall(regex_bw, data)[0]])
key_opt = re.findall('.{16}', re.findall(regex_opt, data)[0].decode('utf-8'))
keys = {}
key_labels = ('100M', '200M', '50M', '70M', 'activebw', 'awg', 'wifi', 'mso')
keys.update(zip(key_labels, key_bw + key_opt))
return(keys)
As nicolasg posted, a simple cat /dev/mem worked well for me - I didn't need to trigger a core dump.
-
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?
thanks ! ;D
-
Thanks for this guys, VT100s guide has a few typos, but worked well.
-
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?
thanks ! ;D
No.
-
Thanks for this guys, VT100s guide has a few typos, but worked well.
if you email me the typos I can update so things are correct. sometimes my brain and hands work at different speeds so what I am thinking and what comes out on the screen are two different things.
-
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)
Skill level: Easy/Moderate
Risk: Slim to none.
Assumptions: You know the root password to your scope.
Steps:
1. download full armv7l version of busybox which has core dump enabled.
see: [url]https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l[/url]
2. put version on thumb disk
3. reboot scope to known state
4. telnet to scope and log in as root
5. insert usb stick
6. copy busybox binary from usb to /tmp:
cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp
7. unmount and remove usb
umount /usr/bin/siglent/usr/mass_storage/U-disk0
(and then remove usb stick)
8. identify and kill existing sds1000b.app
ps -ef | grep sds | awk '{printf "kill -9 %s\n", $1}' | ash
9. change to /tmp directory:
cd /tmp
10. launch new busybox ash shell
/tmp/busybox_armv7l ash
(when you press enter it looks like nothing happens, but something does)
11. re-launch scope app in new busybox environment in background
/usr/bin/siglent/sds1000b.app &
12. increase core dump ulimit to unlimited:
ulimit -c unlimited
you can verify new limit by typing
ulimit -c
and you should get a response "unlimited"
12. kill scope app again, telling OS to create a core dump of the app:
ps -ef | grep sds | awk '{printf "kill -ABRT %s\n", $1}' | ash
13. wait a few seconds, and press enter once or twice. you should see:
[1]+ Aborted (core dumped) /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3
14. verify core dump is in /tmp:
ls /tmp/core*
you should see something like this:
-rw------- 1 root root 377511936 Jan 1 00:14 /tmp/core
if not, you did something wrong, go to step #3
15. exit out of usb version of busybox shell
exit
(it will look like nothing happens when you press enter, but, something does)
16. re-launch Siglent scope application. See Step #11
17. insert usb drive
18. copy core dump to thumb drive
cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)
19. unmount usb stick and remove (see step #7)
20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.
21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.
22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.
23. You can license a different bandwidth by typing MCBD (license key) at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.
24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.
25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.
26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.
27. Write keys down in a safe place so you do not lose them again.
So it looks like the coredump utility of the ARM7L busybox file you linked us has not been enabled (at least according to the log file on that website). Does anyone have a compiled version of busybox with coredump enabled?
-
The linked version did dump for me, I just had to kill it 3 times, third time worked.
-
Which kill worked the third time? The first process kill or the second one after BusyBox was running? What was the procedure that worked for you?
-
For some real fun, check out these GitHub repositories:
https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys
Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
This is almost awesome and almost worked swimmingly well.
The Tek 475 here decided to go traceless. I'd been sorely tempted by the low end Rigol for the last few years, but the Siglent at 200MHz with four channels felt like a more compelling addition. Don't need the 200MHz, don't actually need any of the other features either, don't even use a scope often anymore, but it's always fun to hack, and being able to log in to your devices to poke around is fun. Aside from not immediately figuring out that the unit came with DHCP disabled, all of that went very well and I had the eevblog-modified OS loaded and running without much ado.
However, when I got to the github projects above, my code development environment is much closer to working on a VT100 than it is a PC with an IDE. There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff. I didn't have Visual Studio loaded anywhere, and how to use it wasn't entirely clear to me, as my development environment is usually just vi, cc, make, and the rest of the UNIX stack. I figure if someone who's written tons of C had issues figuring this out, maybe non-developers or other old UNIX farts might have trouble too. If this turns out to be helpful to someone, here's a few notes, hard won through about eight hours of persistence and one trashed VM, hopefully a clue or two for anyone similarly clueless-ish about Visual Studio:
Visual Studio is huge. It almost overflowed my 50GB Windows lab VM's. I installed Visual Studio Community 2017 with the Visual Studio Installer downloaded from Microsoft. Under "Workloads" I had it install .NET Desktop Development, Desktop development with C++, and .NET Core cross platform development. I also selected "NuGet targets and build tasks" under "Installation details" the second time around, because something went tragically wrong with my first VM, and NuGet wasn't working correctly. Some of these selections are needlessly sloppy, I'm sure.
Once in Visual Studio 2017, I went to "File -> Open -> Open from Source Control", plugged in the FindKeys github URL, and it picked it up, bringing up a "Solution Explorer" window. After spending some time looking around and wondering where a "build" button or key was, I opened "Program.cs" in the editor to look at it and suddenly "Build" became available in the menu bar. Yay for obtuseness. It built the FindKeys.dll just fine, depositing it in C:\Users\username\source\repos\FindKeys\bin\Debug\netcoreapp2.1, so I just moved the memory dump bin file to that directory and ran it there, and it worked.
At this point, things went off the rails unrecoverably on the first VM. I tried to do the same process for TryKeys and it went seriously sideways. It needed a package called "LiteGuard" and I couldn't figure out how to install it. For whatever reason, NuGet was broken and unusable in the first VM. Being unfamiliar with the tool and thinking myself just too dumb for modern tools, I wasted several hours stuck trying to remediate that. Install-Package simply wasn't there or was broken or something. So I switched to a different lab VM, installed Visual Studio again, and went to do TryKeys again.
This bombed as the build still needed "LiteGuard". Trying to install that, it refused. It really wanted a project name. So I knew I wasn't really doing this correctly, but I didn't really care, so I exited out of VS to dump the mess, launched VS again, did "New -> Project from Existing Code", specified "Visual C#", pointed the dir at C:\Users\username\source\repos\TryKeys, and named it "TryKeys". Then I was finally able to successfully go to "Tools -> NuGet Package Manager -> Package Manager Console" and entered
PM> Install-Package LiteGuard -Project TryKeys
It still presented an error but it seemed to complete, so I again opened Program.cs, ran "Build", and it built, and ran great.
Y'all are welcome to explain in excruciating detail how I made this more complicated than needed or went about it entirely the wrong way. :-) I just felt it would be a shame if the effort put into these two fine Siglent tools was not accessible to someone without any coding experience. Thanks for the tools.
-
My process was get to the point where you kill the application, step 12, then fire up the process again, step 11, then using "PS -A" to find its new PID, and "kill -ABRT <PID>" It was my third loop of starting and killing it that got me a core dump.
-
There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff.
I wanted to learn .netcore and this was my first .net core application.
Visual Studio is huge. It almost overflowed my 50GB Windows lab VM's.
if someone makes a pre-compiled version available then you could get away with installing the .dot core runtime, which is significantly smaller, and would run on linux. .dotcore apps will compile and run on linux, allegedly.
It needed a package called "LiteGuard" and I couldn't figure out how to install it.
I have absolutely no idea what LiteGuard is. It wasn't a nuget package I used, but it does show up in project.assets.json now that I look. Perhaps it was a dependency of another nuget package I used in TryKeys which I didn't use in FindKeys -- e.g. the telnet library, for instance.
It was my third loop of starting and killing it that got me a core dump.
Strange thing is, I get a core dump each and every time, on the first try. I have no explanation as to why others have problems getting a core dump. Maybe I'm lucky.
-
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.
I did this with a stock standard unhacked new SDS1104X-E software version 8.1.6.1.26. Some notes:
Insert a USB thumb drive formatted appropriately for the SDS1104X-E
Using the SCPI control of the web interface, put the following command (or similar depending on what filename you want):
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
Wait a minute or more for it to complete - it needs to copy a 256 megabyte file
cleanly shutdown the SDS1104X-E (with the power button on the front)
You can now move the USB thumb drive to a pc. There should be a memdump.bin file on there. You can follow other people already mentioned processes to extract keys from this. I used vt100's instructions from step 20 onwards here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477) Thanks vt100. I used the free "Hex Fiend" on macos as the Hex editor but I expect any would do.
Thanks to Rerouter for letting me know about the "SHELLCMD" SCPI command https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069).
Also thanks to everyone who provided procedures for extracting keys.
-
I should point out the memdump is slightly different to the core dump.
the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.
The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.
-
I should point out the memdump is slightly different to the core dump.
the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.
The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.
With the file produced by the "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" command, I believe I found all the keys. I think /dev/mem includes all memory - not just the memory from an application core dump. I only tested the bandwidth key as I don't have a need for the other ones. Bandwidth key worked for me.
-
Coredump provides a continuous mem image.
/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!
They are not the same and that's why some manipulations need to be done in /dev/mem.
BUT, both ways provide the needed licenses.
-
well if you wanted to play it that way, there are very few strings that are only capitalized alphanumeric, at least 16 characters long and contain no symbols, so on that basis you may be able to filter down memory images to only relevant ASCII formatted strings,
-
/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!
I'm no kernel expert, but at least on "bigger CPUs" most kernels these days do some kind of memory space randomization (which is probably "corrected" in the page tables inside CPU) for security reasons. Malware have harder time looking for data or injecting code, since the desired locations are randomly somewhere... (That description is probably too simple, slightly misunderstood by me, etc. but... might explain the random order in the /dev/mem. Something like this: https://en.wikipedia.org/wiki/Address_space_layout_randomization)
-
I spent quite a bit of time on this, with tv84's guidance, so let me state the following.
cat /dev/mem will give you a memory dump of the scope's entire memory. That memory is managed by the operating system kernel, and is broken up into 4k chunks, aka "pages". The kernel memory manager allots those pages to each process, using a process only someone intimately family with the kernel would be able to explain. Suffice to say, for our purposes, we can assume that any given process running on the scope will be assigned memory pages in a completely random order, even though to the process itself they may appear to be contiguous, they really are not, as the kernel is actually managing the allotment of and access to memory.
(if someone intimately family with the kernel memory management process can tell me where in a memory dump the paging table is located, and how to extract information from it in order to "reorganize" the memory pages for a given process into a single contiguous chunk, feel free to email me, I always enjoy a good intellectual exercise in programming.)
In order to retrieve your license keys from a memory dump, you need to utilize the process (either automatically or manually) captured in the "FindKeys" and "TryKeys" .net Core applications posted on GitHub. The reason being the memory keys will more than likely be "fragmented" into multiple 4k pages of memory. You may have 1/2 of a key at the end of one 4k memory page, and the remainder of the key at the start of another 4k memory page (I personally observe this w/ my own scope and was taking screen shots of a winhex display of the memory dump when I was going back and forth with tv84). And, those key fragments may be located megabytes apart in the file, with the 2nd half actually being 'first' in the file and the 1st half of the key being towards the end of the file.
So what FindKeys does is it examines the memory dump and identifies strings which may possibly be part of a license key. When it identifies a partial candidate, it will combine that partial candidate with other partial candidates to create one or more candidates to try (e.g. given the program finds one 8-character string A and another 8 character string B, it will create two candidates, AB and BA, to try. Trykeys takes the file of potential keys and tries to implement them.
A core dump, however, is a contiguous snapshot of a processes' memory. When the core dump is created, the memory pages assigned to the scope process are all arranged in the correct order by the kernel. The process of creating a core dump is handled at the OS level thus the OS can organize the memory pages into the correct order as they are written to a core dump file. Thus with a core dump, the keys will be contiguous as they are represented in their actual underlying class structures and are easily discoverable using the 'shortcut' of using a hex editor to search for your serial # or scope Id.
Whenever possible, I encourage people to use the core dump method, it is cleaner and faster. However, understandably some folks have a problem getting a core dump (I cannot replicate this issue on my scope, each and every time I follow the posted 'process' in the previous post, I get a core dump, so I have no idea what makes my scope different from someone else's). For those who cannot get a core dump, then the memory dump/findkeys/trykeys route is their only option to recover the license keys they previously paid for and accidentally lost the paperwork on.
-
SIGABRT and SIGSEGV should produce a core dump, but Linux has the ability to prevent that via compile time options as well as other means I've not been able to sort out. There is a core_dump_filter in /proc/<pid>, but I don't know any of the details. I use Solaris like God intended whenever possible.
My use of Linux is like my use of Windows, it is only done under coercion.
-
My method was slightly different:
1. dump memory to fat32 formatted USB through web interface on 1104x-e - wait 1minute after performing this, then shut down the scope before doing anything else.
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
2. Compile find keys using Visual studio - https://github.com/Siglent/FindKeys
3. Run find keys on PC on the the memory dump - note you need to edit the config json.
4. Flash custom firmware with known telnet/root password ( https://www45.zippyshare.com/v/SEUJEWE1/file.html) - Follow instructions in pdf in the file. (note flash drive needs to be either 8gb or 32gb) - I tried to find a way to not do this, but it's the easiest way of getting root access.
5. Set up network on SDS1104x-e
6. Compile trykeys ( https://github.com/Siglent/TryKeys )
7. Use trykeys on a PC on the same network using the key file from findkeys, wait for reboot on 1104 - save the keys that are found - Note you need to edit the config json within findkeys
8. Update firmware to latest firmware from siglent
-
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.
...
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
that worked for me as well (options and BW), tested with unhacked new SDS1204X-E software version 8.1.6.1.26
-
Now we are talking. I'd much rather avoid tinkering around with modded firmware. I'll give this method a try.
-
My SDS1104X-E arrived today with 7.1.6.1.25R2 (stock) on it.
After some fun (creating a wireless client bridge to get wired LAN handy, and using Ubuntu in a VM to format the flash drive for the Unixy flash boots) I was able to log in, run the commands, and rebooted.
At that point my model number went from SDS1104X-E to SDS1204X-E. :-+
(Note to others: For the "OSV" updates, if you try to format the USB from Windows (certainly 10, maybe earlier ones) you'll likely have an annoying time of it. Bite the bullet and format and extract from Linux.) The only clue you'll have that it's working is it takes a bit longer to boot up, and the telnet password ends up working. If you're already on 7.1.6.1.25R2 like I was I'm almost certain the stock "SDS1004X-E_OSV1_EN-1.zip" step is not necessary, just the modified one.
I then grabbed the "SDS1004X-E_6.1.26_EN.zip" update and installed that. The model number is still 1204, and the firmware is now 7.1.6.1.26. I can still log in via telnet so all this suggests the unlock and mod worked.
One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?
Edit: One other bit of advice - if using a VM to format disks and such and you have problems with new DHCP addresses (as I just did with the SDG2042X I'm fiddling with now) be sure to shut down that VM to rule it out - in my case it made it impossible to route to the new device under test!
-
One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?
i made dump of my dso (8.1.6.1.26), haven't found any binary differences to OS update file (7.1.x.xx) nor to latest available firmware.
Sure there might be still something different in mtd7 or mtd8, but due to lack of dump from 7.1 i can't compare, but probably there is no diff a well.
-
8. And 7. Are the exact same. Just a rename.
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
-
All the fun new things that turn up from a little digging :)
Great work ewaller
On the not so stock side, Getting the hang of patching out most of the typos in the scope software,
Main pain is the HISTORY_LIST query, they pointed command and query to the same string so having to shuffle stuff around to fit a new string.
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
Do you think it is then possible to change the default root password?
-
Do you think it is then possible to change the default root password?
Not from that shell. The /etc/shadow file that contains the password hash is in a cramfs (Cram File System https://en.wikipedia.org/wiki/Cramfs ) which is inherently read only. The solution that has been used to date involves updating the system with a rebuilt cramfs with a /etc/shadow file that has the new password hash in it; then that file system -- in it entirety -- is uploaded to the scope at boot time.
Part of my motivation was was to find a way to root the system when running stock firmware; and the nice part is that it requires no password. With this, I think it will be possible to run code from a USB drive that has been cross compiled for ARM. There may be issues find finding dynamically linked libraries, and the USB drives may be mounted with the noexec flag (meaning the OS will refuse to run code from the device). I forgot to check that last night in my exploration :) I'll look tonight.
-
I'm guessing the SCPI SHELLCMD functionality will either be PDSH'd, or removed completely, in an upcoming firmware release ;D
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
That is awesome - works perfectly. Thank you.
-
I should also point out, most of the recent methods listed here should work just fine for a number of BK precision scopes. :)
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
Hi, everyone. I have this scope on order and it should be here in a few days.
I very much appreciate the graciousness, expertise and effort that it took each and every participant to develop this thread. Thank you!
I am considering this upgrade, but its means is completely outside my knowledge base. I see that the steps are summarized, in the first post, but I have questions about how this post relates to the first.
- Is Ewaller's method the complete protocol, or only a portion of it?
- If it is complete in itself, Ewaller, please write a start to finish tutorial using it, for us noobs. Post #68 is still above my pay grade.
- If it is only a portion and it being easier, has it been incorporated into Post #1? If not, please do so.
Thank you for your help and kindness. I am sure I will have lots more questions.
PS: My current OS is Windows 8.1. I expect to buy a new laptop, soon. It will, likely, have Windows 10/Home.
-
His method gets you root access to do just about anything you want on the scope without changing from stock,
Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,
If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.
The telnet access is more if you want to fiddle with the scope
-
His method gets you root access to do just about anything you want on the scope without changing from stock,
Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,
If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.
The telnet access is more if you want to fiddle with the scope
Thank you, Rerouter.
I understand a little of this, but....
Is it that Post #1 gets you the 200MHz and nothing else? Or the options, too?
Is it that with the Ewaller method you could access the entire firmware and, given that you wrote code, you could modify it?
I just want the greater bandwidth and to use the pay-to-play options (with non-Siglent devices, like my own function generator, WiFi dongle, etc.)
I appreciate your help.
-
the memdump method will get you a file that has all the option and bandwidth codes, just takes some digging with a hex editor.
Working with your own wifi dongle is harder to say. at this point it only has a driver for the MT7601 dongle, If your familiar enough with linux drivers you can probably try and make another work via patching, but doubtful out of the box.
With your own signal generator is equally a little difficult, If you want to use the bode plot mode then you need to use similar to an earlier thread where a Python application on another PC pretended to be a networked signal gen and translated the commands, There may be a way to patch in other devices, but I have not gone digging deep enough, I defiantly know where all the bode plot strings are located, but not sure if its just a straight patch or if it needs to be broken into elsewhere,
-
Thanks, Rerouter. Much appreciated.
-
If you have used up all of your trial runs for MSO, WIFI or AWG; and you have not purchased your licence keys, you may be able to reset the number of trial runs by sending the following through the web interface SCPI mechanism (here I set the number to 99)
SHELLCMD echo -n 99 > /usr/bin/siglent/usr/usr/options_awg_times.txt
Replace the awg with wifi or mso as appropriate. change 99 to the number of demo runs you desire.
These files have exactly two characters in them with no n/l or l/f, hence the -n option on echo. 99 may, or may not be a maxima -- again, these files have exactly two characters in them.
Note, I cannot actually test this through the GUI any more as my options are all permanent, but I am fairly certain this will work for those of you who need a couple more demo runs to decide. I can see that the contents of these files do change the way I expect. Please let me know.
-
Hi,
I do not know if it is OK to ask here of if I should start a new thread...
as I'm taking into account to buy a second hand SD1104X-E I'd like to know if any of you is aware of any hardware revision during the last year.
thanks
-
yep, 04 as of the last month, no significant changes to functionality has been observed.
03 I can only speak of back to mid july, when my unit was made. it appears the FPGA code was compiled for 03 on the 7th of march 2018, so 02 likely was from before this date.
-
Hello, i applied this Unlock (ProMode) to my 1104x-e, works great (havent tested the extra features)
But i noticed a bug(?)
I did some decoding a month ago, then i turned it off, unplugged the scope and put it on a shelf.
A month later i plugged it back in, booted it up. it was dead slow. time between action and reaction was like a minute. totally locked up
even after reboot.
Only fix was to hit the default button.
Did anyone notice this without the hack applied? Could it be the Production Mode im in?
-
I followed plurns and vt100's posts as regards dumping memory to a usb and then looking through the dump in a hex editor.
Worked perfectly to recover all the codes.
Thanks a million.
-
I received my scope last night, and managed to get everything sorted nicely, however there were a few things that weren't quite as some other people seem to have found them, it was already running the latest firmware (6.1.26), not sure if that's the reason.
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
2. The core dump didn't contain the required information, it was only about 200meg, so quite a bit smaller than other examples shown here (and smaller than the 250meg memory dump.)
3. Restarting the sds1000b process didn't work properly, a few errors and the scope was unusable, so I suspect this is the reason it didn't contain the right data.
So I resorted to a much simpler way as described by some other posters...
1. Use "SHELLCMD telnetd -l/bin/sh -p9999" to start an unauthenticated telnet server.
2. Connect to the scope using "telnet <ipaddress> 9999"
3. Insert a USB stick
4. Dump memory to the stick using "cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"
5. Pull the stick (I ran "sync" first, but I'm a legacy unix guy, need to see if that's really necessary), otherwise cleanly unmounting would be better.
5. Use a hex editor to find the keys as per post 39, from about step 20 onwards ... which worked perfectly, no obvious issues with the page ordering making it difficult to find things.)
It took about 10 mins start to finish once I'd decided to go the /dev/mem route.
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.
What a nice scope ... this was an upgrade for me from a DS1052E, so it's fantastic! Thanks to all for providing this info!
-
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
a core dump is substantially smaller than an entire memory dump. With the core dump you're only going to get the memory associated with the running task, compared the memdump, where you'll get all the scope's memory.
Its curious you didn't find the keys in the core dump.... the only thing I can think of, is, perhaps, you took the core dump prior to the sds1000b process creating the keys within its memory pages (there is logic in the scope app to generate the keys using the scopeid and serial # to check against the licensed options, they are not hard-coded in the scope app) so if you took a core dump prior to that routine executing (and at what point it runs, who knows). I'd be interested in taking a look at the core dump if you'd be willing to share it.
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.
These methods will continue to work until Siglent pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
-
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.
These methods will continue to work until Siglent pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
time(1) will tell you when the cat completes.
-
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
-
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
You can see here how the 100 MHz roll off is much improved after improving to the 200 MHz model:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374)
There's some further supporting info in subsequent posts.
Also have a hunt through rf-loop's posts, he's switched his SDS1104X-E back and forth.
I've never hacked one but the info here is entirely convincing that it is a valid upgrade. ;)
-
I wanted to thank all the contributors for all the various unlocking instructions, especially VT100 whose instructions I was following per post #39 for the keys to my options upgrade. It's nice to have a fully upgraded scope, at just the right price. ;D
However, I have a question that I hope someone can clear up:
I first updated the bandwidth via the rooted OS & bandwidth.txt -> bandwidth.bak method, as that felt the most comfortable to me at the time. With that success, I started to feel more confident (or cocky, I suppose, lol) and thought I would then use the mem dump method to find the keys for the options, which I then also successfully updated.
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file? If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be?
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.
I've attached a shot of the relevant part of the mem dump for the bandwidth keys.
Thanks again! :-+
-
Run the command. When a valid bandwith or option code is entered. The scope saves a bandwidth.txt or option.txt. so if your not seeing one yet it may change with later updates.
This would also explain why your not seeing the current code. It reads it from that txt file.
-
Brilliant! Thanks, Rerouter.
I ran the MCBD command with the suggested 200M key (from my dump file as attached earlier), and then went into the scope via telnet and checked for the bandwidth.txt file. It was there, as you called it, along with the older bandwidth.bak file from my original update.
I've attached a shot of the content of each file, the .txt now containing the 200M key, and the .bak containing the original 100M key.
I've also attached an updated memory dump excerpt showing the now repeated 200M key.
All good now! Thanks for the prompt response. :-+
Nick
-
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".
As earlier posts have indicated modifying the bandwidth.txt file puts the scope in "PRO MODE" which basically bypasses the licensing process so you have a scope with all options and full bandwidth. The problem with this approach is the next firmware update could easily change this by placing the scope into complete lockdown with no options and minimal bandwidth. Once you have your license keys, you never need to worry about losing access to bandwidth or options.
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)
This is expected. One of those 5, the "duplicate", is read from your filesystem and compared against the other 4 generated keys to determine what bandwidth your scope has. By "hacking" the config file you eliminated the "5th" key and now only see the 4 that the scope program generates for comparison. This is the 'expected' behavior given you changed the bandwidth.txt file.
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.
Even if you enter the wrong one, you can always enter another one to change it again. the MCBD command is not a one-shot deal.
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file? If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be?
See paragraph #1 above.
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.
See paragraph #2 above. Your scope isn't licensed w/ any bandwidth key, it's in PRO MODE. Hence you only have 4 keys in your mem dump, not 5.
-
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?
More importantly, someone mentioned a slight hardware difference in the analog front end of 1104x-e and 1204x-e. So, even if I can make my 1104 'think' he is a 1204, how can I make up for the hardware difference?
-
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?
It is not an option one can purchase. The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as. It is supposed to be immutable. What is not known is whether there are any inherent differences in the hardware platforms? For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope? I don't think so. But, if one changes the configuration, and the scope well enough works at 200 MHz, why not? Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.
-
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?
It is not an option one can purchase. The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as. It is supposed to be immutable. What is not known is whether there are any inherent differences in the hardware platforms? For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope? I don't think so. But, if one changes the configuration, and the scope well enough works at 200 MHz, why not? Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
-
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
No arguments from me there. I did opt for the 1204x-e. All I can say is that I cannot back my assertion that they may not be the exact same platform -- they could be. But, I will stand behind my assertion that the calibration is not valid for a 1104x-e at 200 MHz
-
So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
How can I word this correctly... umm... well, let's just say if you *need* 200mhz (with the associated calibrated accuracy) then spend the couple extra hundred, since (perhaps) your livelihood depends on it.
On the gripping hand, if you're just messing around with the scope in your shack, and that calibrated accuracy is not that important... why not?
Assuming of course the hardware platforms are different... which I doubt. I'm willing to wager the scopes are identical, and all that changes is the sticker on the front of the case and the bandwidth license pre-installed.
Much akin to how Windows now has several versions, all of which are on the DVD, but the features available to the user depends on the product key used to activate the product.
-
Thanks for the clarifications, I've now got a much better understanding of how the key mechanism works. Trying to assimilate that combined knowledge from all the various thread posts was a challenge, and perhaps my questions & your answers have helped others as confused as I.
One more question on the same topic: I am also curious as to how the "option keys" work for the Wifi, MSO and AWG modules. In the normal course of events, if I were to buy an AWG for example, how would the key needed to activate my scope to use the AWG be communicated to me (assuming that the option key itself is unique to my scope)? Does the AWG itself communicate/handshake with the scope to authorize its use? Would there be a piece of paper with the AWG that contains a code that needs to be entered somehow?
And why the need for an option key at all? Is it just a function of wanting to prevent knock-off Wifi, MSO, and AWG modules from working with the scope? If you have to pay for the module anyway, I can't see any other reason for needing an option key mechanism in the first place.
Thanks again -
-
The SAG1021 AWG can be thought as 2 units if you like, one for Bode plot usage where NO licensing is required and as a reasonably well featured AWG controlled from within the scope UI. For that functionality you do need the licensing.
Edit to add; Only once the trial licenses have expired is any option licensing required.
-
I question the option vodes as anything other than a money grab. But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.
You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.
The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
-
I question the option codes as anything other than a money grab.
Er well yes but only for 3 options whereas other 'money grabbing' brands like Tek, KS, R&S, LeCroy, Rigol etc will want to charge you for more. Decode is commonly an option for most brands while Siglent provide it for free.
Your point is ? :-//
But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.
SAG1021 arbitrary use is intended to be via the EasyWave SW where you will use SCPI commands.
This is all mentioned in the X-E datasheet.
You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.
Maybe, maybe not.
If I have them at sale time I'll install them and pack a sheet/s of paper with them printed on too.
Otherwise it's a pdf in an later email with an option authorization code with which you go onto Siglents option generation website and enter it along with model type and SN#. The 'real' option code is then generated automatically and you have the option to get it on a pdf with installation instructions. This is what we normally add to the box prior to shipment.
The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
Good point, maybe 'play' a captured waveform can be added into future FW. :-+
-
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
-
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
Of course.
After then it is SDS1204X-E (except front panel model sticker) and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)
-
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
Of course.
After then it is SDS1204X-E (except front panel model sticker) and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)
Someone before asserted that factory calibration after the hack was not valid anymore.
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
'Proven' -3dB BW of hacked SDS1104X-E is ~230 MHz and and amplitude spec is +3% like all DSO's, is that good enough ?
-
So, in the 1104x-e the 100Mhz bandwidth is obtained by limiting the full 200Mhz bandwidth via a software low pass filter? No hardware?
-
The 100Mhz bandwidth limit is achieved by FIR filter coefficients (https://en.wikipedia.org/wiki/Finite_impulse_response) - these coefficients are different for the different bandwidths. The FIR filter is implemented in the FPGA, and applied to the signal coming from the ADC.
Short answer - it is software, but not software running on the ARM CPU.
The 20Mhz selectable bandwith limit takes place in the analog front-end, and so is implemented in hardware.
--Ian.
-
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive. Besides, the hack is really a piece of cake.
-
Got it to work, many thanks for the instructions. Note that if you go with the Visual Studio solutions, in the TryKeys you have to change the hardcoded 23 port to 9999 if you want to use the telnet daemon started via SCPI (SHELLCMD telnetd -l/bin/sh -p9999). Also comment out the TelnetClient.login section as it is not needed (and even fails) for this telnet access. Changing the port number from 23 to 9999 in the .json is not enough unfortunately.
This scope is one of the best deals around, got it for $125 off MSRP from Amazon Warehouse Deals and now unlocked 200MHz and the 3 other items :) :)
Also, Newegg has the TL-WN725N wifi USB dongle for only $7 using code EMCTUVA36 for $3 off. Just bought one for my new scope. This same module is offered by Siglent for a mere $49 at https://store.siglentamerica.com/product/sds1104x-e-100-mhz/ Is this scope compatible with many wifi adapters or just this one?
-
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),
Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.
\bin\siglent\drivers\mt7601u.ko
-
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive. Besides, the hack is really a piece of cake.
If compare Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation, Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.
-
If compare Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation, Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.
No need to get upset. I'm with you. I was simply saying that these scopes are a tremendous value and that A Brand scopes with similar (similar!) features cost many times more. The other big contender which surpasses these scopes spec-wise is the new Rigol MSO5000, but for double the price. So 1000x-e scopes are still the best value on the market IMHO.
-
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),
Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.
\bin\siglent\drivers\mt7601u.ko
I used a TPLink wifi dongle on mine and it worked fine.
-
I am going to try installing a few other wifi dongles and will provide any success stories in an additional thread. For me, I would like an AC dongle so I dont have to run legacy Wireless at home - just for the scope... I doubt the speed difference would help with the web server.
-
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.
Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
-
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.
Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
Have a study here:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612)
-
I just got this scope and completed the *upgrade*. My experience was a mashup of other users, so I figured I would comment on what didn't work and what I ended up doing to achieve success.
What didn't work:
I followed the core dump procedure. I did the following:
- Run the SCPI command SHELLCMD telnetd -l/bin/sh -p9999
- Connect to the scope and follow the remaining core dump procedure on post #39
There are a few typos, but I was able to execute the procedures. I ran through it several times and was never able to generate a core dump on the first try. I then tried simply restarting SDS1000b.app without rebooting the scope and killing again (not what the above procedure suggested). A few times I was able to get the core dump file to generate, but that lead to another problem. As another user stated, the scope buttons remained unusable, even after restarting the app. The only way to recover was a power cycle. This would wipe out the core file that was created. In addition to the buttons not working, the scope would not detect the USB drive anymore to copy the core dump too. The Linux OS would detect the drive, but it would not mount. I had to manually create a temp directory in /usr/bin/siglent/usr/mass-storage/ and manually mount /dev/sda1 to it to copy the core dump. I did this several times with several core dumps. I got a ~207MB file each time, but most of it was empty and searching for the string "SDS1000X-E" always yeilded "no match". So, this method did not work for me. Perhaps someone can explain why?
What did work:
Using following command to get a mem dump on the USB drive worked perfectly: post#54
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
The flash drive I was using had an LED indicator that flashed when preforming a read/write and slowly dimmed when idle making it easy to tell when the file was done writing, which was nice. I created several mem dumps to compare. Each one was different, which was expected, but I noticed only one contained my BW keys in a contiguous block that was human readable. None of them contained the options keys in a contiguous block, thus I needed to use some tools. I ended up trying the FindKeys and Trykeys tools mentioned in post #38. make sure you have the current version of Visual Studios (I ran VS2017 15.9) and install .NET Core 2.1 as that is what the tools run on.
Define the proper parameters in the FindKeys .json file as instructed in the repo readme and run the FindKeys tool against your mem dump file. It will generate a txt file that has all the possible combinations of possible keys through the fragmentation of the mem file.
Define the proper parameters in the TryKeys .json file as instructed in the repo readme. I noticed some things about the TryKeys program that should be addressed before running it.- It is setup to use authentication for the Telnet connection. This is not needed if using the below method to create an unauthenticated Telnet session. If the code is ran with the authentication step, it will hang. Simply comment out the IF statement if(!client.login() ...) to skip this.
- I noticed that the code did not handle the response of the Telnet command properly WRT the bandwidth file. When parsing out parts of the response, it didnt seem to take into account that there was more information than expected. For example, if you selected "true" in the .json file to update the bandwidth.txt file, it reads the bandwidth file to see what the current key is. The response contained the entire cat command and PWD, but the code only grabbed the first 16 characters assuming it was the currently activated key string, but it was not. I selected "false" in the .json file so that it did not try to update the bandwidth and bypassed this whole mechanism. Perhaps it should use the .Contains() method as it does elsewhere in the code? I did the BW update in a later step below.
- The telnet port is hard coded to check that 23 is used, but the .json file allows you to set a port number. This is odd as it will fail the comparison if anything other than 23 is used, so why make it a user definable option in the .json file??? :-// I changed the code to allow any port to be used (9999 in my case).
- The code will try to send each key generated from the FindKeys txt file for each option. When the scope generates the corresponding options file, the program reports success for that key and moves on to the next option. The program then reports what key worked for each option. I ran this in single step because the program closes immediately after it finishes leaving no chance to write down the information (I also did this to make sure I understood what it was doing in each step). A pause should be added at the end if not running in single step if you want to document the keys. Or, you could always cat out the license file it generates. They contain the valid keys too.
The root telnet access method is needed for the TryKeys program to run:
Run the SCPI command SHELLCMD telnetd -l/bin/sh -p9999
Then run the Trykeys based on the above config/recommendations.
If you didnt use the Trykeys to update the bandwidth (like me), run the SCPI command MCBD (license key) where (license key) is the key for the bandwidth you want, to update it manually. Then reboot and check with the PRBD? command to verify.
All in all, I think the method that worked for me is the simplest as it requires no software modifications (I was running 7.1.6.1.25R2 out of the box). It is also the most reliable as I was able to get the mem dump file every time I ran the command and all the files ended up producing the valid keys.
Hope my experience makes this process easier for others! I am really enjoying me new scope!
-
Hi All - Instructions are very good, thank you! After reading the entire 5 pages of posts I ended up doing the following. Also for the record my scope was bought in Jan-2019 with 6.1.25.R2 and I had upgraded to 6.1.26 before doing this. (7.1. prefix shows up the FW revision i.s. 7.1.6.1.26)
I did the mem dump technique below and did get the 250M file (thanks to post #54)
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.
I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha... Many thanks!
��������������
-
This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).
It's a sad state that certain individuals (that happen to be at a higher level) look down on anyone that doesn't meet their standards. Especially when they question previous post simply because the text was not clear enough.
To these 'individuals'; everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others. We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him.
-
BTW, the thread title does state "step by step" which means exactly that. NOT skipping details (other than very basic), under the assumption those details should be already known..
-
everyone is NOT at your esteem level of knowledge. What MAY be simple to YOU, isn't to others.[/color] We have one Dictator Trump in my country that thinks is is always right, the world doesn't need more like him.
IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style ;D
-
hi guys. Is there any hack for SDS1102X model (not X-E)?
I tried to execute these commands through VXI11 SCPI:
- "SHELLCMD telnetd -l/bin/sh -p9999"
- "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"
but telnet didn't started and it even doesn't try to access usb stick... :(
Unfortunately there is no response from SHELLCMD command executed on VXI11 SCPI interface, so I even don't know if it is implemented...
-
The X model is blackfin based not arm-linux,
This thread seems to be for it, but it seems it needs a hardware patch for full bandwidth from a quick glance,
https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/ (https://www.eevblog.com/forum/testgear/siglent-sds2000x-hack/)
To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,
The SCPI memdump method is the most recent, in that it requires no custom firmwares or rooting, but as a trade off the memory is dumped in an odd segment ordering, and some times the keys will be split over a memory segment boundary, so you may need to dump more than once to catch them, The searching through with a hex editor for the keyword will still work with this method, just takes a few tries to get,
To make it easier to find those keys, you can also copy the "/bin/siglent/firmdata0" folder, In there you will find .bin files relating to each option, open them in a hex editor, take the last 4 bytes and xor them 0xFF00FF00, and reverse there order, e.g. 0xC734B24D = 0x38344d4d, this is ascii, 84MM, flip it so its MM48, and there is the first 4 characters of that option to search for.
-
IMHO it is a wrong comparison as people writing here do have some real competence while Trump competence is limited to his very peculiar hair style ;D
To Videobruce, If you need help, ask nicely, Most of the later discoveries where made by different users than those in the first few pages,
That was referring only to the disrespectful individuals mentioned, not the entire membership, nor was it referring to any 1st hand experience. (BTW, I wouldn't even give him credit for his hair either.)
-
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.
I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha... Many thanks!
I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll
I assume the same applies on a mac, from a terminal session.
-
This refers to the just plain nastiness here, specifically on the 1st page and throughout this thread (and others).
I'm new here, and I've found everyone completely helpful.
Presumably everyone is here to learn and so sometimes answers are not given to you on a silver platter, but answers contain enough information to make you think for yourself and hopefully learn something.
Understandably if you want someone to do it for you, you'll probably find their answer unhelpful.
-
This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??
-
The few of us that have dug into these things and chose to share it, we are already giving you something for free just because we thought it would help others, most of us enjoy this, however its easy to forget the knowledge base of a beginner, And like some of the discussions on the first page, to fully explain the reasons behind why you made those choices, We are good at breaking into things, not always at explaining how we did it.
Personally I see stuff very similar to what a room of engineers look like, some bite and go on the attack rather than clarifying there question
If you need something clarified, I'm right here to explain it as best I can,
I will say your earlier posts read as hostile at first glance, and your latest one still does, I will offer you a suggestion, PM fungus asking to update the first post with the latest unlock information, If you feel comfortable with the info and procedure you could prepare it for him, otherwise just ask Nicely.
-
This has nothing to do with a "silver platter", nor anyone asking for someone else to do it for you. Have you read thru the first the 1st couple of pages??
As others have indicated, how you ask is sometimes more important than what you ask.
Given your attitude, I am not surprised you meet resistance.
-
videobruce,
Being one of those that posted on the first page of this thread, I do remember when/why it first started and the attitudes expressed that might not be clear to a new reader. IIRC, there was some banter in other threads regarding which scope was the best bang-for-buck/most-easily-hackable - essentially a pissing-contest between two camps of brand supporters. I won't speak for Fungus as to why he started this thread (I respect all those who've contributed to this forum; there are a number of highly knowledgeable and helpful people here) but my first impression at the time was that he started this ironically, to continue the banter :D. (I could certainly be wrong about this, but again that was my feeling at the time)
I think that is why the tone of the first page of this thread was more adversarial than usual. Please don't take this as an example of the attitudes of many of the regulars here; this is generally an extremely helpful and informative bunch.
-
[quote I've never used visual studio on a mac, but normally when you build .net core apps on a PC you end up with a dll, which you execute from the command line via "dotnet mydllfilename.dll", e.g. dotnet.exe Findkeys.dll [/quote]
Actually I only used the hex editor on Mac as Notepad++ on PC wasn't giving me the view I needed. I downloaded Visual Studio and set up on PC... never worked with it before. So I guess I did everything correct but I just had no idea how to open the the file or even what file to open. I'll see if I can do it now using command line. Tx!
-
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.
FP = 'YOUR_FILE_PATH'
def crazy_check(byte, l):
return (
(byte < ord('2') or byte > ord('9')) and
((byte < ord('A') + l) or (byte > ord('Z') + l)) and
(byte != ord('L') + l) and (byte != ord('O') + l)
)
parts4 = set()
parts8 = set()
parts12 = set()
keys = set()
def find_keys(fp):
with open(fp, 'rb') as f:
entire_buffer = f.read()
l = 0
for j in range(2):
i = 0
str_start = 0
str_size = 0
for i in range(len(entire_buffer)):
byte = entire_buffer[i]
if crazy_check(byte, l):
b = (str_start % 4096 == 0) or (i % 4096 == 0)
if str_size > 15 or (str_size > 3 and b):
str_end = str_start + str_size
if str_size % 16 == 0:
s = entire_buffer[str_start:str_end].decode('utf8')
while len(s) > 15:
left_string, s = peel_off_string(s, 16)
check_and_add(left_string)
if str_size % 4 == 0 and b:
for x in range(0, 16, 4):
s = entire_buffer[str_start:str_end].decode('utf8')
left_string, s = peel_off_string(s, x)
check_and_add(left_string)
while len(s) > 15:
left_string, s = peel_off_string(s, 16)
check_and_add(left_string)
check_and_add(s)
str_size = 0
str_start = i + 1
else:
str_size += 1
l += 32
keys.union(consolidate_parts(parts8, parts8))
keys.union(consolidate_parts(parts4, parts12))
keys.union(consolidate_parts(parts12, parts4))
for k in keys:
print(k)
def check_and_add(string):
is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
if is_ok:
if len(string) == 4:
parts4.add(string)
if len(string) == 8:
parts8.add(string)
if len(string) == 12:
parts12.add(string)
if len(string) == 16:
keys.add(string)
def peel_off_string(string, i):
left_string = ""
if len(string) >= i:
left_string = string[:i]
string = string[i:]
return left_string, string
def consolidate_parts(p1, p2):
rc = set()
for i, s1 in enumerate(p1):
for j, s2 in enumerate(p2):
if i != j:
s = s1 + s2
rc.add(s)
return rc
if __name__ == '__main__':
find_keys(FP)
-
Worked! When putting in File Path (FP = 'YOUR_FILE_PATH') be sure to use fwd slashes "/" not back "\" slashes. At first nothing happened... takes a little time to process then I got all the keys. Since i had already gotten the bandwidth keys I just deleted them and the 3 or 4 text strings that were returned. That left me with 4 keys and pretty easy to re-enter the keys for the options until I got them all correctly. Not sure with the extra key was for maybe an unused option.
Anyway very cool, thanks for posting this!
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.
FP = 'YOUR_FILE_PATH'
def crazy_check(byte, l):
return (
(byte < ord('2') or byte > ord('9')) and
((byte < ord('A') + l) or (byte > ord('Z') + l)) and
(byte != ord('L') + l) and (byte != ord('O') + l)
)
parts4 = set()
parts8 = set()
parts12 = set()
keys = set()
def find_keys(fp):
with open(fp, 'rb') as f:
entire_buffer = f.read()
l = 0
for j in range(2):
i = 0
str_start = 0
str_size = 0
for i in range(len(entire_buffer)):
byte = entire_buffer[i]
if crazy_check(byte, l):
b = (str_start % 4096 == 0) or (i % 4096 == 0)
if str_size > 15 or (str_size > 3 and b):
str_end = str_start + str_size
if str_size % 16 == 0:
s = entire_buffer[str_start:str_end].decode('utf8')
while len(s) > 15:
left_string, s = peel_off_string(s, 16)
check_and_add(left_string)
if str_size % 4 == 0 and b:
for x in range(0, 16, 4):
s = entire_buffer[str_start:str_end].decode('utf8')
left_string, s = peel_off_string(s, x)
check_and_add(left_string)
while len(s) > 15:
left_string, s = peel_off_string(s, 16)
check_and_add(left_string)
check_and_add(s)
str_size = 0
str_start = i + 1
else:
str_size += 1
l += 32
keys.union(consolidate_parts(parts8, parts8))
keys.union(consolidate_parts(parts4, parts12))
keys.union(consolidate_parts(parts12, parts4))
for k in keys:
print(k)
def check_and_add(string):
is_ok = string.isupper() and len(string) % 4 == 0 and len(string) > 0
if is_ok:
if len(string) == 4:
parts4.add(string)
if len(string) == 8:
parts8.add(string)
if len(string) == 12:
parts12.add(string)
if len(string) == 16:
keys.add(string)
def peel_off_string(string, i):
left_string = ""
if len(string) >= i:
left_string = string[:i]
string = string[i:]
return left_string, string
def consolidate_parts(p1, p2):
rc = set()
for i, s1 in enumerate(p1):
for j, s2 in enumerate(p2):
if i != j:
s = s1 + s2
rc.add(s)
return rc
if __name__ == '__main__':
find_keys(FP)
-
I'm a bit curious about the actual key generation. As far as I can understand, each individual scope has it's own unique set of keys. Are these keys stored in some kind of nonvolatile/read-only memory (perhaps in a separate memory partition), and generated during production? Or perhaps the keys are generated with the serial number as the input, so only the serial number needs to be stored during production?
-
Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.
Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category :)
-
Keys are generated off the scopeid and serial number using an algorithm only Siglent, and those savvy enough to disassemble the scope application, know.
Someday maybe I can afford a copy of IDA Pro with the requisite disassemblers so I can fall into the latter category :)
Ok, thanks. IDA Pro is rather expensive, and it would still take quite a bit of work to reverse-engineer the algorithm, so as long as the actual generated keys (on a device you own) can be found by other methods, it really isn't worth it.
-
Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)
I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.
-
I received my scope today, and the info in this thread enabled me to find all keys without breaking a sweat, so thanks to all that contributed with info. For reference, I used the full memory dump method (by sending the SCPI command from the web interface), and then searched the dump file with a hex editor. No need for any scripts or anything.
-
Reverse engineering atleast from my own perspective is one of those few topics that throw you full well into the deep end from the get go, as there is no 1 true way to approach it, and the skill level of the power users, you will struggle finding answers on how to drive the bloody programs early days (not to many hits on stack overflow)
I only started digging because I was bored and had a program do a incrementing search for SCPI queries and started turning up a lot of things that where undocumented, I wanted to figure out what other functions where baked into the thing, and well now I'm down the rabbit whole patching typos, and trying to figure out how the protocol decoders work, in my own vain hopes that I may be able to format out some new ones.
How did you learn how to do this? I would love to know how to go about doing this from scratch, what your process/tools were. Do you use IDA PRO at all? Would you be able to do this with IDA PRO?
-
I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.
Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.
And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.
There is some fiddly stuff to allow ida to name longer string variables. But that comes later.
-
I use IDA. Yes. Main things to start with is the strings subveiw. You dont really need to reverse anything to see some interesting strings in most programs.
Next would be setting the right architechture for what your reversing. Armv7 a/r from memory.
And finally the basics of the assembler your working with. E.g. BL branch load. And stack push and pull commands tend to give a nice indication where things start and stop.
There is some fiddly stuff to allow ida to name longer string variables. But that comes later.
Reminds me of my childhood 40 years ago, when I would take hex dump reports of Z80 and 6502 machine code and manually disassemble the program into marble black graph-ruled notebooks. I learned z80 machine code when I was 13.
It is the only real way you can begin to learn what a program is doing. (It also made me a better developer, being able to think in low-level terms rather than at a higher, abstract level. I can visualize solutions (like bitmaps) that other developers I work with cannot.)
of course, this also assumes you have an understanding of processor operations (e.g. registers, stack, etc.), addressing schemes, etc. So at a minimum you have to find the technical documentation on the processor you're looking to work with.
I would say it was probably a lot easier back then, when programs were written in assembler. I've never tried to manually disassemble a program compiled from a higher-level language.
I do miss doing it. I also miss Latin class in school during my teenage years too. I must be getting nostalgic in my old age.
-
I don't know if the IDA Latin language pack exists but you could try a 2-in-1 ! ;D
-
I don't know if the IDA Latin language pack exists but you could try a 2-in-1 ! ;D
About a year ago I purchased a latin vulgate and latin-to-english dictionary with the intention of reading/translating, but have yet to get around to it.
way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.
-
way back when, we had a local church which still held latin masses, it was good practice, once I was able to train my brain to decipher ecclesiastical latin.
WOW! Compared with that, assembly is for kids!
-
If IDA is too expensive for you, consider Ghidra
https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/ (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/)
-
If IDA is too expensive for you, consider Ghidra
https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/ (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/)
lmao yeah, I'm going to download stuff from the NSA and install it on my computer.
Nooooooo chance of it having some spyware or back-door capabilities for the federal government embedded in there. Noooo sireeeeee.
-
from the NSA and install it on my computer
actually CIA, later NSA. I'm using it since years, still alive, still no drones on the sky. EDIT (Ghidra is really useful, you can always use VM if you care).
I'm more complaint about useless online firmware updates for these DSOs, i don't need it, they are security holes by design, i wish Siglent could spend more time on firmware improvements/fix instead of useless online updates.
-
I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code), so there is no need for:
- patching the firmware
- searching strings in a hex editor
- compiling some search tools with a version of VS you don't have, so you need to change the code before it runs
- messing arround with USB
The following code is for educational purpose. Do not use it if you have not bought the options or bandwith. If you want to play with it, you should first ask Siglent, how to remove/disable an unwanted/unlicenced option which was unlocked by accident while playing with the device.
This is important because they put a lot of time and work in it to disable some functionality. This work need to be paid!
There might be some exceptions (but I'm mot sure):
- if you lost your bought keys, and the device did it too, or you have not entered it before the precious loss
- if the device was delivered in a wrong configuration (i.e. bandwith)
- if your device came in a wrong case or with a wrong label
This code is for the shell (e.g. Telnet):
BW_OK="200M"; QuickSearch=500; cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line; do start=0x$(echo $line | cut -c 0-8); end=0x$(echo $line | cut -c 10-18); dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\1{2}" | while read line; do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024; echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024; echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024; [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024; done; done
You need to enable Telnet like described in post #67.
Yeah ok, it's not a single line in the meaning of code but in the meaning of a string.
Can this also be put into the web interface? Not directly but it can:
SHELLCMD sh -c $'BW_OK="200M" \x3b QuickSearch=500 \x3b cat /proc/$(pidof sds1000b.app)/maps | grep heap | while read line\x3b do start=0x$(echo $line | cut -c 0-8)\x3b end=0x$(echo $line | cut -c 10-18)\x3b dd if=/proc/$(pidof sds1000b.app)/mem bs=4096 skip=$(($start/4096)) count=$( [ -z "$QuickSearch" ] && echo $((($end-$start)/4096)) || echo $QuickSearch) | grep -ohE "[A-Z0-9]{16}" | grep -vhE "([A-Z])\\1{2}" | while read line\x3b do echo "LCISL WIFI,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL AWG,$line" | nc -w1 127.0.0.1 5024\x3b echo "LCISL MSO,$line" | nc -w1 127.0.0.1 5024\x3b [ $BW_OK != "$(echo "PRBD?" | nc -w1 127.0.0.1 5024 | grep -o $BW_OK)" ] && echo "MCBD $line" | nc -w1 127.0.0.1 5024\x3b done\x3b done' &
This was a little bit more complicated because the web interface doesn't accept semicolons, so they needed to be masked. There is also a circular dependency for SCPI, which will lock netcat if the script is not running independently, so the ampersand at the end is mandatory.
The variable at the beginning is the bandwith you want to select, and need to be set to a correct string like "200M" or "100M". This can be used if you want to try a different BW (e.g. for benchmarks or so).
I figured out that the keys are at the very beginning of the heap. I put a QuickSearch limit at the beginning of the script, so that it does not need to grep through the whole heap, which would need more then a minute. With the limit of 500 it will run about 5 seconds. If it does not find the keys, you can remove the "500" and it will run through the full heap.
You can watch how the options get unlocked ("xx" instead of a value) if you have this info page opened.
I put an additional filter (grep -vhE "([A-Z])\1{2}") in it to remove found strings (about 50 in the whole heap) with low entropy. This is not really needed, and does not have huge effect on performance but it makes it a little bit more sophisticated. There is a chance of 1/3589 (if I'm right) that this will filter a valid key. You can remove it if you think this is the case.
What do we learn from that at the end?
If you want to use cryptography to check a key, do not calculate the right one in parallel and compare it to the entered one. I also don't understand why they did this if there is nothing to compare. Hmmm, intention?
I hope you have fun and don't forget "Piracy. It's a Crime." ;)
-
I came across this thread and found it interesting. It looked like a nice puzzle. I thought whether there is any way to put all the previous information into a single line of code (e.g. shell code)
...
Awesome! (In more than one way.)
In couple pages someone will start compressing that from "single line of code" to "half a line of code", somehow, and producing Siglent logo in ASCII graphics as a side-effect. (Obfuscated code contest -style)...
... And in few more pages we have the code golfers doing it all in 17... scratch that, 15 characters. No, 11 is enough if you use the language.... no, 9 if you accept messy output.
:P of course.
-
Hello,
Thanks to everyone that contributed to this thread.
I was able to easily SHELL the telnet on 9999, telnet in from my Win10 laptop, save a memory dump to a USB drive and use HxD editor to locate 5 codes, two of which were Nut2Butt... then use MCBD on the second code to change my bandwidth to 200M with PRBD? reporting such and all without any reboot.
A few things that I have question of I hope someone can insight me.
I was able to use the 200M code, what are the others for? I do not wish to break something so I ask for knowledge first.
Is it to do with other "Options"? I know post #39 has 100M, 200M, 50M and 70M.... Are the 5 codes I have retrieved strictly related to BW only?
So why 5 codes and not 4? "The one that appears twice is the license key your scope is currently licensed under."
Secondly, can I locate other unlock codes for the other features on my SDS1104X-E? "When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO."
In my own attempt to answer these questions, I rebooted the machine and I ran the latest "One Liner" code via telnet, but even leaving QuickSearch blank I received only:
7563+0 records in
7563+0 records out
30978048 bytes (29.5MB) copied, 80.243151 seconds, 377.0KB/s
Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
>>Welcome to the SCPI instrument 'Siglent SDS1204X-E'
....
Running the SCPI SHELL of this with QuickSearch blank I received:
"Device Cannot Be Connected"
With QuickSearch=500 it finished but did not report any results.
Thanks..
--Wes
-
damn so in the end i am wasting my money to buy SDS1204X-E...........if i knew something like this could happen then i wouldn't want to buy my current oscilloscope :(
does anyone here have a chance to crack SDS1204X-E? i just want to know if there is still a possibility to crack more bandwidth out of this oscilloscope...
-
Hey all,
I'm pretty new to electronics and new to this forum, but thought you might find a python port of the FindKeys script useful - I didn't want to mess with visual studio. Disclaimer, it's hacky as hell, barely tested, and skips over the niceties of the original script. But it did successfully pull out all the licenses. Good luck! And feel free to clean it up.
I ran this and compared it to my outputs of key codes from the Hex Editor and this python mod worked fine. It harvested every possible key, just it ends up being a try/fail routine with 40-ish codes.
The program ran for minutes without any errors on a Windows 10 machine.
Thanks Phil.
-
Does anyone know if this general approach works on any other Siglent oscilloscope series? After digging through this whole thread I think it was stated that it would NOT work on the SDS1kX series. What about the SDS2kX series? Thanks for all of the great info!
-
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.
Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!
-
Ran the script, and it found all the correct keys for my scope.
Thank you :-)
-
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.
almost, for bandwidth SCOPE_ID and for other options S/N is the way to go. With some tricks (generate 500M License - which is not valid for that models but it opens somedoors, add it, generate 300M License, add it, reboot) one can go even to non existing but valid model SDS1304X-E, but for some reason even if shows that model, it defaults filter to 70MHz BW, so not "yet" perfekt hack
[attachimg=1]
-
It seems there is another way to enable telnet without doing a firmware update. Create a file named siglent_device_startup.sh in the root directory of a FAT formatted USB disk containing the following:
#!/bin/sh
/usr/sbin/telnetd -l /bin/sh -p 2323 &
Insert the disk, reboot the scope, then try telnetting to port 2323. If something goes wrong, unplug the disk then reboot.
For 6.1.33 and possibly older versions. Untested as always.
-
Hi Newbie here, but not a newbie. But I sure feel like one right now!
I read the entire thread, and it appears that all I really need to do is establish a telnet session with the scope and/or use that whiz bang single line thing from the web interface. I can't get either to work.
I've tried starting the telnet server on the scope using 2 methods - the one in message 67 (SHELLCMD telnetd -l/bin/sh -p9999), and the one in 161 (should be just above this post) using the USB drive. Neither appear to start the server. When I try to telnet into the scope, (using PuTTY which I use frequently, or straight up Windows 10 Telnet) it fails:
Microsoft Telnet> o 192.168.1.55
Connecting To 192.168.1.55...Could not open connection to the host, on port 23: Connect failed
Microsoft Telnet> o 192.168.1.55 2323
Connecting To 192.168.1.55...Could not open connection to the host, on port 2323: Connect failed
Microsoft Telnet> o 192.168.1.55 9999
Connecting To 192.168.1.55...Could not open connection to the host, on port 9999: Connect failed
YES, 192.168.1.55 is the static address I assigned to the scope, and I am able to get to the web server on that address (so there is no weird subnet problem/etc.
Tracing route to 192.168.1.55 over a maximum of 30 hops
1 2 ms 1 ms <1 ms 192.168.1.55
Trace complete.
[attachimg=1]
Running the one line update also does nothing.
So I took another step backwards and just tried to create a memory dump on the USB stick using SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin. I used both USB ports (the scope recognized the USB stick both places). Neither time did I get a file of any size (not even an empty one).
So to me, it appears that despite the web interface saying 'command send success', it's not actually doing anything on the scope. Am I missing something simple? Do I need to enable something? With none of this working, I'm a bit gun-shy to revert the firmware (like all the way back in msg 1).
FYI:
[attachimg=2]
-
SHELLCMD doesnt exist in the FW anymore. So you can't use the commands based on that.
I think there is a public .GEL that allows you establish a SSH session or do a memdump.
Re-read this thread at least.
-
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
-
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.
Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.
-
SHELLCMD doesnt exist in the FW anymore. So you can't use the commands based on that.
I think there is a public .GEL that allows you establish a SSH session or do a memdump.
Re-read this thread at least.
Ok, I reread the thread and I came at it differently....
1 - I already have python on this machine (I use it frequently)
2 - I downloaded the script wgoeo posted a couple of messages back
3 - I updated the serial number in the script with my serial number from the back of the unit/System status screen (note - I used the entire serial number, all in caps, starting with SDSM (not sure if that is right nor not)
4 - Ran the script and it generated the keys
5 - In the SCPI web page I entered "MCBD [generatedkey]" (obvs without " or [])
6 -Reboot
Nothing changed. MCBD? shows no change. I also tried lower case serial number, as well as changing the 'SDS1000X-E to SDS1104X-E' - which I probably didn't need to do, but tried anyway. I also tried using Scope ID (from ScopeID? command) both as-is and with removing the hyphens and changing lowercase HEX to uppercase.
Please, can you give me a point in the right direction?
-
Nothing changed... python
for bandwidth license you need to use scope id (scope id is somthing like 007c32...), for other software options the serial number (SDSMMEXA123...).
-
I thought I had tried all the different Scope ID permutations. Looks like I didn't. The one that works is without dashes and leaving any other characters as they are.
For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
- Connect Scope to LAN
- On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
- Either set a static IP address or enable DHCP-Save
- Reboot. If DHCP, use step 2 and get your scope's IP
- Open Web Browser-input the IP address of scope
- SCPI button on left. In the command field: SCOPEID?
(dont forget or miss the ? at the end. it is important) - Copy the ID shown
- Download the python script from wgeon just a few messages before this one
- Open the script in Notepad. Find the line that starts serial =
- Delete everything between the two single quote marks, then place your scope ID there.
NOTE: Your scope ID will probably contain dashes. Remove them. All you want are the the numbers and letters without spaces or dashes or anything else.
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'
Just remove the dashes. Leave the rest alone.
- Run this python script. If you have Python already installed on your computer you can run it locally. Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
- In the 200M line the script will return a key of 16 characters. Copy them.
- Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
Don't include the ()s, just the 16 characters like this: MCBD 0123456789ABCDEF
- Reboot the scope
Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
-
...
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'
Just remove the dashes. Leave the rest alone.
I've never understood this. Isn't the whole point of computers that they can effortlessly do things like removing dashes from numbers, thus making life easier for everybody?
(apparently not, I've actually written to banking API teams telling them that life would be a lot easier for my customers if they accepted credit card numbers with and without spaces and received corporate-boilerplate replies telling me I need to make it more clear on the web site...)
Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
Nobody ever reads instructions.
How about getting the slob who wrote the script to fix that? :popcorn:
-
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.
Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.
do i need to purchase license to activate bode plot? i see there is a 30 day trial for AWG...i am planning to buy a stand alone AWG, so what should i do?
-
bode plot is free, to use the AWG for anything other than bode plot needs the AWG license,
-
hello everyone, do this unlock steps also work on SDS1204-X? i really want to its unlock bode plot mode anyway
Bode plot is a free feature in every way.
All that's required is a sweeping sine wave source that can be controlled from the Bode plot UI within the scope.
Yes that's additional cost of the SAG1021 AWG module or one of Siglent's stand alone AWG's.
SAG1021 has sine to 25 MHz while the stand alone AWG's from the SDG ranges start with the single channel 5 MHz SDG805 to the 500 MHz 2ch SDG6052X.
An excellent Bode plot pairing would be with SDG2042X or the bit cheaper SDG1032X.
do i need to purchase license to activate bode plot?
Nope, not at all. Bode plot works plug and play with all Siglent AWG's
i see there is a 30 day trial for AWG...i am planning to buy a stand alone AWG, so what should i do?
The trial usage only applies to the SAG1021 AWG module for use as an AWG from within the SDS1*04X-E Function Gen inbuilt interface.
You have 2 options, use a Siglent AWG and have simple no hassle Bode Plot usage or attempt to interface another brand AWG so the Bode Plot feature can control the other AWG. It can be done as I've already given you a link in another earlier reply but not everyone wants to have the hassle of converting the control code to get it all to work.
Any/all the examples I've posted of Bode plot use was with a SDG1032X.
Use the forum Search and 'bode plot example tautech' should find them all.
-
I bought an SDS1104X-E last week, and I have all the same version numbers as oldcqr in reply #162
SHELLCMD doesn't seem to do anything from the SCPI interface, but wgoeo's siglent_device_startup.sh script on a usb stick from reply #161 did. Oddly it didn't seem to work every time, but often enough that it wasn't a big deal.
Dumping out the process memory of sds1000b.app didn't seem to reveal any keys. I could find my scopeid and my serial number, but very few 16-character ascii strings, none of which worked.
The updated python script from wgoeo in reply #158 worked perfectly. Bandwidth, wifi, awg & mso all unlocked without any need for telnet or any other out-of-band mods.
(I ended up needing shell access to manually fix my wpa.conf, but that's another story)
Thanks wgoeo & tinhead, and everyone else who has contributed to this thread :-+
-
I bought an SDS1104X-E last week, and I have all the same version numbers as oldcqr in reply #162
SHELLCMD doesn't seem to do anything from the SCPI interface, but wgoeo's siglent_device_startup.sh script on a usb stick from reply #161 did. Oddly it didn't seem to work every time, but often enough that it wasn't a big deal.
Dumping out the process memory of sds1000b.app didn't seem to reveal any keys. I could find my scopeid and my serial number, but very few 16-character ascii strings, none of which worked.
The updated python script from wgoeo in reply #158 worked perfectly. Bandwidth, wifi, awg & mso all unlocked without any need for telnet or any other out-of-band mods.
(I ended up needing shell access to manually fix my wpa.conf, but that's another story)
Thanks wgoeo & tinhead, and everyone else who has contributed to this thread :-+
Agreed! I just got a brand new SDS1104X-E and I am a step away from MCBD'ing the 200M key. But I am a bit of a skeptical nature and wanted to know if it would be possible to reverse-downgrade (for whatever reason) the process to 100M key? The TryKeys GitHub comments suggest that this is not possible with MBCD. Did anyone try this? Also after updating does indeed the model name change?
Thank you guys in advance
-
wanted to know if it would be possible to reverse-downgrade (for whatever reason) the process to 100M key?
It is. Run the MCBD command again with your 100M key and it's back to 100Mhz.
Also after updating does indeed the model name change?
It does. There's screenshots in this thread showing the status page with the updated model code.
-
hi guys,
I've read all posts from this topic and I'm impressed.
It seems that all is done regarding this oscilloscope but I have other problem fitting well to this topic. I hope will be interesting for you.
Some time ago I've been in China (8 months in totall of living and working in Shenzhen city). Just before returning to Europe I bought oscilloscope from taobao (chinese ebay). I haven't known about hacking possibility in this time, by the way. I've choosen it because of parameters vs price ratio. Price was 3,1k CNY (~430 USD - current rate). So, cheaper then in Europe but not much. On Chinese market this oscilloscope has little bit different name: SDS1104X-C. I noticed it but didn't expect that only different between ...X-C nad ...X-E are Chinese language in menu that can't be change to any other:)
I wrote a message to Siglent China with question how to change the language to English but they rid me off and suggested to return device back (it was too late for me because of next day flight). Also Siglent Europe(Netherlands) didn't help me (they even didn't know about ...X-C model exist:)). Only thing I've known from Siglent was that only this model (4ch) SDS1104X has unchangable Chinese language on domestic market. On any other Siglent product you can change language to English:)
Hardware seems to be the same like ...X-E. On the motherboard is a label with SDS1000X-E text. Reading of .ads files works and I can changes firmware. But Operation System updating is disable. I think there is no bootloader in flash. It would be too easy to change from ...X-C to ...X-E I guess.
Information in this topic helped me to (almost) fix this problem. My idea was to locate language files and simply exchange chinese and englishc file names. I did it by following steps:
1. change firmware version to 6.1.25R2 (by loading .ads file)
2. change ip on oscilloscope to 192.168.1.57
3. switche to root by:
telnet 192.168.1.57 5024
SHELLCMD telnetd -l/bin/sh -p9999
---------------------------------------------------------
telnet 192.168.1.57 9999
4. remounte partition to rw by:
mount -o remount,rw ubi2_0 /usr/bin/siglent
5. all languages files are in .xml format and are located in:
/usr/bin/siglent/config/ui_data/
chinese simplified version:
simp_help_info.xml
simp_menu_info.xml
simp_text_info.xml
chinese traditional version:
trad_help_info.xml
trad_menu_info.xml
trad_text_info.xml
english version:
english_help_info.xml
english_menu_info.xml
english_text_info.xml
I copied all above files to USB drive:
/usr/bin/siglent/usr/mass_storage/U-disk0/
then changed names of english... files (under windows) to simp... and trad... and coppied back rom USB to:
/usr/bin/siglent/config/ui_data/
After reboot I seen all menu names in english:)
I was happy but it was working on old firmware 6.1.25R2 so I changed firmware to newest 6.1.33 but with this change language changed back to chinese (logical, because new functions requaier new menu files). Unfortunetly, rooting method, mentioned above isn't work on this firmware version, so I couldn't change language files.
I returned to 6.1.25R2 and repeated procedure but I did HORRIBLE mistake this time: during exchanging files I removed them first from ui_data and then copy form USB but I didn't check the files was in ui_data folder after operation. Probably I did some typo and files didn't copy. After reboot the device has hange up on Siglent logo and can't go next.
I can ping it but SHELLCMD (telnet 192.168.1.57 5024) doesn't work:(
so I lost root access. Only I can do is:
telnet 192.168.1.57 23
but I don't know root password off course.
This is my story:)
but it isn't end of the world and I have new idea how to resurrect my device by restore dumped memory. I see 2 possibilities:
1. I localized flash memory on the motherboard. It is one chip: 29F2G08ABAEA WP. This is 2Gb nand flash with 8 bit organization. Unfortunetly, this is parallel programming memory so need to be take off from board to programm it directly. Of corse there is special programmer and adapter needed(I can get it).
2. On the motherboard we can find JTAG connector. Main processor is Xilinx Zynq so using Xilinx SDK(https://www.xilinx.com/html_docs/xilinx2019_1/SDK_Doc/SDK_tasks/sdk_t_memory_dump_restore.html (https://www.xilinx.com/html_docs/xilinx2019_1/SDK_Doc/SDK_tasks/sdk_t_memory_dump_restore.html)) and Digilent JTAG-HS3(https://store.digilentinc.com/jtag-hs3-programming-cable/ (https://store.digilentinc.com/jtag-hs3-programming-cable/)) or JTAG-HS2 USB flashing memory throught Jtag should be possible. Another problem could be to confirme that this is for sure JTAG connector and what is the pinout.
I'm wondering could I flash dumped memory from another oscilloscope (...X-E version with different serial number).
I did dump mem from my scope but if I flash it back there will be the same problem with language and bootloader.
I would be grateful if somebody could share with me dumped memory from SDS1104X-E scope (best for me would be OSV1_EN_eevblog with known root password).
What do you think about my idea to fix it and flashing method I'm mentioning? I would be happy for any suggestions or corrections.
-
On this thread (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2478699/#msg2478699) tv84 (and plurn) give a way to activate telnet on firmware 6.1.33
-
Thanks for this info. I'll try it on hanging scope first.
-
Thanks for this info. I'll try it on hanging scope first.
First, get control of your machine once again. After that, worry about changing language.
To solve the language problem you should change the scope model from X-C to X-E. Don't go around patching the filesystem.
Maybe you can do it with a simple SCPI command.
PS: If you have any memdump of your machine I would be interested in having a look.
-
Thanks for this info. I'll try it on hanging scope first.
First, get control of your machine once again. After that, worry about changing language.
To solve the language problem you should change the scope model from X-C to X-E. Don't go around patching the filesystem.
Maybe you can do it with a simple SCPI command.
PS: If you have any memdump of your machine I would be interested in having a look.
Jus very tiny sidenote for yours this: "Also Siglent Europe(Netherlands) didn't help me (they even didn't know about ...X-C model exist:))."
Siglent Europe(Netherlands) is not Siglent at all. It is one Siglent distributor. (also sell many other equipments but using different domain)
If you need Siglent (manufacturer) help in Europe: Right place is Siglent Technologies Germany GmbH
Web side: https://www.siglenteu.com/ (https://www.siglenteu.com/)
Problem is also factory warranty in EU area. You have model localized for China domestic markets what have warranty only there and its serial number is not in EU area database.
But... no one can deny when the owner makes "some" changes and modifications at his own risk. ;)
-
tv84,
regarding getting control once again, do you think that two ways I mentioned above are only possible or maybe you have another idea how to do this easier?
I sent you memdump to PW.
rf-loop,
you've right. I don't remember how I reached to this contact. I could swear that from siglent.com link but as I'm checking now there is link to Siglent Hamburg.
Regarding warranty, yes I was full aware of it. I expected something like "to solve your problem we need to reflash device. Cost of this operation is ...." I didn't expect any free warranty actions.
But it doesn't metter now because I've gone to hardware mafia already:)
-
I don't remember if you can force an FW upgrade while the scope is booting (supported by the bootloader).
Maybe tautech can help in that regard.
Do you have access to serial port? What does that log show?
-
I'll try to read log in the evening. Will let you know.
-
serial transmition work with baudrate 115200kbps. It seems that I can write commands also.
here are df command response:
df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 29868 29868 0 100% /
devtmpfs 110060 0 110060 0% /dev
none 118348 0 118348 0% /tmp
ubi1_0 29816 14388 15428 48% /usr/bin/siglent
ubi2_0 5848 72 5776 1% /usr/bin/siglent/firmdata0
ubi0_0 84752 280 84472 0% /usr/bin/siglent/usr
/dev/sda1 15711208 31136 15680072 0% /usr/bin/siglent/usr/mass_storage/U-disk0
/ #
here are the logs:
1.Booting of scope
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.
U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)
Board: Xilinx Zynq
I2C: ready
DRAM: ECC disabled 243 MiB
NAND: 256 MiB
MMC: zynq_sdhci: 0
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
[INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net: Gem.e000b000
Hit any key to stop autoboot: 0
(Re)start USB...
USB0: USB EHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
USB1: ULPI request timed out
zynq ULPI viewport init failed
lowlevel init failed
scanning usb for storage devices... 0 Storage Device(s) found
Copying Linux from USB to RAM...
** Bad device usb 0 **
** Bad device usb 0 **
Copying Linux from NAND flash to RAM...
NAND read: device 0 offset 0x780000, size 0x400000
4194304 bytes read: OK
NAND read: device 0 offset 0xb80000, size 0x80000
524288 bytes read: OK
## Booting kernel from Legacy Image at 02080000 ...
Image Name: Linux-3.19.0-xilinx-svn8988
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3614680 Bytes = 3.4 MiB
Load Address: 00008000
Entry Point: 00008000
Verifying Checksum ... OK
## Flattened Device Tree blob at 02000000
Booting using the fdt blob at 0x2000000
EHCI failed to shut down host controller.
Loading Kernel Image ... OK
Loading Device Tree to 0e00d000, end 0e013e8b ... OK
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 3.19.0-xilinx-svn8988 (david@david-virtual-machine) (gcc version 4.6.1 (Sourcery CodeBench Lite 2011.09-50) ) #187 SMP PREEMPT Wed Feb 28 18:55:09 CST 2018
[ 0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[ 0.000000] Machine model: Zynq Zed Development Board
[ 0.000000] cma: Reserved 16 MiB at 0x0d000000
[ 0.000000] Memory policy: Data cache writealloc
[ 0.000000] PERCPU: Embedded 9 pages/cpu @4edf2000 s8128 r8192 d20544 u36864
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 60960
[ 0.000000] Kernel command line: console=ttyPS0,115200 root=/dev/mtdblock5 rootfstype=cramfs init=/linuxrc earlyprintk uboot_version=08
[ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Memory: 220120K/245760K available (4514K kernel code, 229K rwdata, 1748K rodata, 192K init, 223K bss, 9256K reserved, 16384K cma-reserved, 0K highmem)
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xffc00000 - 0xfff00000 (3072 kB)
[ 0.000000] vmalloc : 0x4f800000 - 0xff000000 (2808 MB)
[ 0.000000] lowmem : 0x40000000 - 0x4f000000 ( 240 MB)
[ 0.000000] pkmap : 0x3fe00000 - 0x40000000 ( 2 MB)
[ 0.000000] modules : 0x3f000000 - 0x3fe00000 ( 14 MB)
[ 0.000000] .text : 0x40008000 - 0x40625c7c (6264 kB)
[ 0.000000] .init : 0x40626000 - 0x40656000 ( 192 kB)
[ 0.000000] .data : 0x40656000 - 0x4068f620 ( 230 kB)
[ 0.000000] .bss : 0x4068f620 - 0x406c74c4 ( 224 kB)
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.000000] NR_IRQS:16 nr_irqs:16 16
[ 0.000000] L2C: platform modifies aux control register: 0x72360000 -> 0x72760000
[ 0.000000] L2C: DT/platform modifies aux control register: 0x72360000 -> 0x72760000
[ 0.000000] L2C-310 erratum 769419 enabled
[ 0.000000] L2C-310 enabling early BRESP for Cortex-A9
[ 0.000000] L2C-310 full line of zeros enabled for Cortex-A9
[ 0.000000] L2C-310 ID prefetch enabled, offset 1 lines
[ 0.000000] L2C-310 dynamic clock gating enabled, standby mode enabled
[ 0.000000] L2C-310 cache controller enabled, 8 ways, 512 kB
[ 0.000000] L2C-310: CACHE_ID 0x410000c8, AUX_CTRL 0x76760001
[ 0.000000] slcr mapped to 4f804000
[ 0.000000] zynq_clock_init: clkc starts at 4f804100
[ 0.000000] Zynq clock init
[ 0.000011] sched_clock: 64 bits at 333MHz, resolution 3ns, wraps every 3298534883328ns
[ 0.000137] timer #0 at 4f806000, irq=17
[ 0.000507] Console: colour dummy device 80x30
[ 0.000528] Calibrating delay loop... 1332.01 BogoMIPS (lpj=6660096)
[ 0.090280] pid_max: default: 32768 minimum: 301
[ 0.090439] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.090454] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.091117] CPU: Testing write buffer coherency: ok
[ 0.091334] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[ 0.091420] Setting up static identity map for 0x441b50 - 0x441ba8
[ 0.240268] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[ 0.240353] Brought up 2 CPUs
[ 0.240373] SMP: Total of 2 processors activated (2664.03 BogoMIPS).
[ 0.240382] CPU: All CPU(s) started in SVC mode.
[ 0.240922] devtmpfs: initialized
[ 0.241765] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
[ 0.247861] NET: Registered protocol family 16
[ 0.250053] DMA: preallocated 256 KiB pool for atomic coherent allocations
[ 0.281232] cpuidle: using governor ladder
[ 0.311198] cpuidle: using governor menu
[ 0.319920] hw-breakpoint: found 5 (+1 reserved) breakpoint and 1 watchpoint registers.
[ 0.319937] hw-breakpoint: maximum watchpoint size is 4 bytes.
[ 0.320085] zynq-ocm f800c000.ocmc: ZYNQ OCM pool: 256 KiB @ 0x4f880000
[ 0.338397] vgaarb: loaded
[ 0.338845] SCSI subsystem initialized
[ 0.339258] usbcore: registered new interface driver usbfs
[ 0.339354] usbcore: registered new interface driver hub
[ 0.339533] usbcore: registered new device driver usb
[ 0.339696] phy0 supply vcc not found, using dummy regulator
[ 0.339788] phy1 supply vcc not found, using dummy regulator
[ 0.339918] --------------usb_udc_init ------
[ 0.340147] pps_core: LinuxPPS API ver. 1 registered
[ 0.340160] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[ 0.340211] PTP clock support registered
[ 0.340340] EDAC MC: Ver: 3.0.0
[ 0.342110] cfg80211: Calling CRDA to update world regulatory domain
[ 0.342491] Switched to clocksource arm_global_timer
[ 0.355818] NET: Registered protocol family 2
[ 0.356660] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.356711] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.356769] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.356821] TCP: reno registered
[ 0.356837] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 0.356871] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 0.357079] NET: Registered protocol family 1
[ 0.357408] RPC: Registered named UNIX socket transport module.
[ 0.357421] RPC: Registered udp transport module.
[ 0.357430] RPC: Registered tcp transport module.
[ 0.357439] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[ 0.359295] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.360980] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.362084] io scheduler noop registered
[ 0.362106] io scheduler deadline registered
[ 0.362157] io scheduler cfq registered (default)
[ 0.364345] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[ 0.364368] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[ 0.364875] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[ 0.943761] console [ttyPS0] enabled
[ 0.947945] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[ 0.954721] [drm] Initialized drm 1.1.0 20060810
[ 0.967430] brd: module loaded
[ 0.974577] loop: module loaded
[ 0.985927] libphy: MACB_mii_bus: probed
[ 1.062680] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[ 1.072565] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[ 1.083970] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 1.090420] ehci-pci: EHCI PCI platform driver
[ 1.095032] usbcore: registered new interface driver usbtmc
[ 1.100611] usbcore: registered new interface driver usb-storage
[ 1.106791] e0002000.usb supply vbus not found, using dummy regulator
[ 1.113516] ci_hdrc ci_hdrc.0: EHCI Host Controller
[ 1.118334] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
[ 1.142513] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00
[ 1.148689] hub 1-0:1.0: USB hub found
[ 1.152388] hub 1-0:1.0: 1 port detected
[ 1.156845] e0003000.usb supply vbus not found, using dummy regulator
[ 1.165041] i2c /dev entries driver
[ 1.169306] cdns-i2c e0005000.i2c: 20 kHz mmio e0005000 irq 144
[ 1.176565] zynq-edac f8006000.memory-controller: ecc not enabled
[ 1.182821] Xilinx Zynq CpuIdle Driver started
[ 1.187860] ledtrig-cpu: registered to indicate activity on CPUs
[ 1.193949] usbcore: registered new interface driver r8188eu
[ 1.200381] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[ 1.206679] nand: Micron MT29F2G08ABAEAWP
[ 1.210650] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 1.218244] nand: WARNING: pl353-nand: the ECC used on your system is too weak compared to the one required by the NAND chip
[ 1.229708] Bad block table found at page 131008, version 0x01
[ 1.235969] Bad block table found at page 130944, version 0x01
[ 1.242072] 11 ofpart partitions found on MTD device pl353-nand
[ 1.247919] Creating 11 MTD partitions on "pl353-nand":
[ 1.253229] 0x000000000000-0x000000780000 : "fsbl"
[ 1.259101] 0x000000780000-0x000000b80000 : "kerneldata"
[ 1.265424] 0x000000b80000-0x000000c00000 : "device-tree"
[ 1.271702] 0x000000c00000-0x000001100000 : "Manufacturedata"
[ 1.278368] 0x000001100000-0x000001600000 : "reserved1"
[ 1.284559] 0x000001600000-0x000003e00000 : "rootfs"
[ 1.290488] 0x000003e00000-0x000004800000 : "firmdata0"
[ 1.296687] 0x000004800000-0x000007000000 : "siglent"
[ 1.302875] 0x000007000000-0x00000d400000 : "datafs"
[ 1.308928] 0x00000d400000-0x00000fc00000 : "upgrade_cramdisk"
[ 1.315809] 0x00000fc00000-0x000010000000 : "reserved2"
[ 1.324085] TCP: cubic registered
[ 1.327329] NET: Registered protocol family 17
[ 1.331766] lib80211: common routines for IEEE802.11 drivers
[ 1.337774] Registering SWP/SWPB emulation handler
[ 1.349485] cramfs_fill_nand blocks is 320-----------------------
[ 1.349485]
[ 1.349485]
[ 1.349485]
[ 1.362746] VFS: Mounted root (cramfs filesystem) readonly on device 31:5.
[ 1.369593] devtmpfs: mounted
[ 1.372790] Freeing unused kernel memory: 192K (40626000 - 40656000)
[ 1.482595] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[ 1.633815] hub 1-1:1.0: USB hub found
[ 1.637694] hub 1-1:1.0: 3 ports detected
Starting rcS...
Mounting filesystem
[ 1.798962] UBI-0: ubi_attach_mtd_dev:attaching mtd8 to ubi0
[ 2.201038] UBI-0: scan_all:scanning is finished
40
[ 2.760356] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[ 2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[ 2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[ 2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[ 2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[ 2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[ 2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[ 2.943197] UBIFS: recovery needed
2.760356] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[ 2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[ 2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[ 2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[ 2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[ 2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[ 2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[ 2.943197] UBIFS: recovery needed
h_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[ 2.674601] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
, name "siglent", R/O mode
[ 2.767266] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.776374] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[ 2.786001] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.791032] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[ 2.867658] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[ 2.874396] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.883497] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[ 2.892864] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.897890] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[ 3.025920] UBIFS: recovery completed
[ 3.029594] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[ 3.035545] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 3.044644] UBIFS: FS size: 94597120 bytes (90 MiB, 745 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[ 3.054276] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 3.059305] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C886A817-B838-46DF-AE16-F9920045A7D7, small LPT model
Upgrade start
Configure eth0
Starting mdev
[ 2.911607] UBIFS: background thread "ubifs_bgt0_0" started, PID 675
[ 2.943197] UBIFS: recovery needed
h_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[ 2.674601] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
8 KiB), LEB size: 126976 bytes
[ 2.478605] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.487104] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.495793] UBI-1: ubi_attach_mtd_dev:good PEBs: 320, bad PEBs: 0, corrupted PEBs: 0
[ 2.503509] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[ 2.512435] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 13/9, WL threshold: 4096, image sequence number: 1819264682
[ 2.523399] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 320, PEBs reserved for bad PEB handling:[ 4.045576] xilinx-dma 40400000.dma: Probing xilinx axi dma engine...Successful
[ 4.087569] sigdma_init++++++
[ 4.111420] siglentkb probe
[ 4.114484] ##### siglentkb registers 4fc1e580 4fc365a4 4fc385b8
[ 4.139471] usbcore: registered new interface driver mt7601u
[ 4.152355] irq = 170
config read
###### Config vdma for wave transform #######
config write
config read
dump s2mm registers
dump mm2s registers
####### done! ########
Config vnc data to memory
Config done!
#### siglentkb registers 4fc1e580 4fc365a4 4fc385b8
[ 4.139471] usbcore: regis[ 4.371815] UBIFS: background thread "ubifs_bgt1_0" started, PID 778
ln: /usr/bin/siglent/config/www/web_img/usr: File exists
Starting Lighttpd Web Server: Initializing framebuffer device /dev/fb0...
xres=800, yres=480, xresv=800, yresv=480, xoffs=0, yoffs=0, bpp=16
Initializing touch device /dev/input/event0 ...
Initializing VNC server:
width: 800
height: 480
bpp: 16
port: 5900
Initializing server...
01/01/1970 00:00:04 Listening for VNC connections on TCP port 5900
[ 4.504615] random: lighttpd urandom read with 17 bits of entropy available
lighttpd.
[ 4.643624] UBIFS: background thread "ubifs_bgt1_0" stops
rcS Complete
Processing /etc/profile... Done
/ # �[34m[INFO]:�[0mcalibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory
$Task start:: SCPI
$Task start:: Devce
$Task start:: WLAN
$Task start:: Udisk&Lan
vxi11_main = 6821.64
$Task start:: Vxi11_client
sh: write error: Invalid argument
drv_instance_manage_t: produce_id: 13501
(DRV_PRODUCT_PIKACHU)
_drv_product=4
acq_scal_user = -1.000000
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
[ 7.232355] export_store: invalid GPIO 115
sh: write error: Invalid argument
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
scpi_register_cmd_boardtest
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml not exist
$Task start:: UI
ifconfig: SIOCGIFFLAGS: No such device
$Task start:: awg_thread
mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interrupt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - telnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_threa[ 10.912150] Free all channel resources.
d
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds100[ 10.919150] Free all channel resources.
0b.app: mempool.h:81: MemoryChunk::~MemoryChunk(): Assertion `tempcount==count' failed.
2. Booting of scope with OS stored in external USB drive
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.
U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)
Board: Xilinx Zynq
I2C: ready
DRAM: ECC disabled 243 MiB
NAND: 256 MiB
MMC: zynq_sdhci: 0
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
[INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net: Gem.e000b000
Hit any key to stop autoboot: 0
(Re)start USB...
USB0: USB EHCI 1.00
scanning bus 0 for devices... 3 USB Device(s) found
USB1: ULPI request timed out
zynq ULPI viewport init failed
lowlevel init failed
scanning usb for storage devices... 1 Storage Device(s) found
Copying Linux from USB to RAM...
** Invalid partition 1 **
** Invalid partition 1 **
Copying Linux from NAND flash to RAM...
NAND read: device 0 offset 0x780000, size 0x400000
4194304 bytes read: OK
NAND read: device 0 offset 0xb80000, size 0x80000
524288 bytes read: OK
## Booting kernel from Legacy Image at 02080000 ...
Image Name: Linux-3.19.0-xilinx-svn8988
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3614680 Bytes = 3.4 MiB
Load Address: 00008000
Entry Point: 00008000
Verifying Checksum ... OK
## Flattened Device Tree blob at 02000000
Booting using the fdt blob at 0x2000000
EHCI failed to shut down host controller.
Loading Kernel Image ... OK
Loading Device Tree to 0e00d000, end 0e013e8b ... OK
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0
enabled
0.356649] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.356810] TCP: reno registered
[ 0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 0.357070] NET: Registered protocol family 1
[ 0.357416] RPC: Registered named UNIX socket transport module.
[ 0.357429] RPC: Registered udp transport module.
[ 0.357438] RPC: Registered tcp transport module.
[ 0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[ 0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.362068] io scheduler noop registered
[ 0.362090] io scheduler deadline registered
[ 0.362140] io scheduler cfq registered (default)
[ 0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[ 0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[ 0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[ 0.943655] console [ttyPS0] enabled
[ 0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[ 0.954616] [drm] Initialized drm 1.1.0 20060810
[ 0.967322] brd: module loaded
[ 0.974502] loop: module loaded
[ 0.985953] libphy: MACB_mii_bus: probed
[ 1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[ 1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[ 1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.356810] TCP: reno registered
[ 0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 0.357070] NET: Registered protocol family 1
[ 0.357416] RPC: Registered named UNIX socket transport module.
[ 0.357429] RPC: Registered udp transport module.
[ 0.357438] RPC: Registered tcp transport module.
[ 0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[ 0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.362068] io scheduler noop registered
[ 0.362090] io scheduler deadline registered
[ 0.362140] io scheduler cfq registered (default)
[ 0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[ 0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[ 0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[ 0.943655] console [ttyPS0] enabled
[ 0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[ 0.954616] [drm] Initialized drm 1.1.0 20060810
[ 0.967322] brd: module loaded
[ 0.974502] loop: module loaded
[ 0.985953] libphy: MACB_mii_bus: probed
[ 1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[ 1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[ 1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 1.090186] ehci-pci: EHCI driver usb
[ 0.339429] phy0 supply vcc not found, using dummy regulator
[ 0.339536] phy1 supply vcc not found, using dummy regulator
[ 0.339670] --------------usb_udc_init ------
[ 0.339897] pps_core: LinuxPPS API ver. 1 registered
[ 0.339911] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[ 0.339967] PTP clock support registered
[ 0.340296] EDAC MC: Ver: 3.0.0
[ 0.341900] cfg80211: Calling CRDA to update world regulatory domain
[ 0.342332] Switched to clocksource arm_global_timer
[ 0.355865] NET: Registered protocol family 2
48 (order: 1, 8192 bytes)
[ 0.356703] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.356761] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.356810] TCP: reno registered
[ 0.356828] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 0.356863] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 0.357070] NET: Registered protocol family 1
[ 0.357416] RPC: Registered named UNIX socket transport module.
[ 0.357429] RPC: Registered udp transport module.
[ 0.357438] RPC: Registered tcp transport module.
[ 0.357447] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.357873] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[ 0.359290] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.360978] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.362068] io scheduler noop registered
[ 0.362090] io scheduler deadline registered
[ 0.362140] io scheduler cfq registered (default)
[ 0.364310] dma-pl330 f8003000.dmac: Loaded driver for PL330 DMAC-241330
[ 0.364330] dma-pl330 f8003000.dmac: DBUFF-128x8bytes Num_Chans-8 Num_Peri-4 Num_Events-16
[ 0.364832] e0001000.serial: ttyPS0 at MMIO 0xe0001000 (irq = 146, base_baud = 6249999) is a xuartps
[ 0.943655] console [ttyPS0] enabled
[ 0.947840] xdevcfg f8007000.devcfg: ioremap 0xf8007000 to 4f878000
[ 0.954616] [drm] Initialized drm 1.1.0 20060810
[ 0.967322] brd: module loaded
[ 0.974502] loop: module loaded
[ 0.985953] libphy: MACB_mii_bus: probed
[ 1.062452] macb e000b000.ethernet eth0: Cadence GEM rev 0x00020118 at 0xe000b000 irq 150 (00:0a:35:00:01:22)
[ 1.072328] macb e000b000.ethernet eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=e000b000.etherne:1e, irq=-1)
[ 1.083738] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 1.090186] ehci-pci: EHCI driver usb
[ 0.339429] phy0 supply vcc not found, using dummy regulator
[ 0.339536] phy1 supply vcc not found, using dummy regulator
[ 0.339670] --------------usb_udc_init ------
[ 0.339897] pps_core: LinuxPPS API ver. 1 registered
[ 0.339911] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[ 0.339967] PTP clock support registered
[ 0.340296] EDAC MC: Ver: 3.0.0
[ 0.341900] cfg80211: Calling CRDA to update world regulatory domain
[ 0.342332] Switched to clocksource arm_global_timer
[ 0.355865] NET: Registered protocol family 2
[ tch enabled, offset 1 lines
[ 0.000000] L2C-310 dynamic clock gating enabled, standby mode PCI platform driver
[ 1.094784] usbcore: registered new interface driver usbtmc
[ 1.100365] usbcore: registered new interface driver usb-storage
[ 1.106534] e0002000.usb supply vbus not found, using dummy regulator
[ 1.113235] ci_hdrc ci_hdrc.0: EHCI Host Controller
[ 1.118047] ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
[ 1.142353] ci_hdrc ci_hdrc.0: USB 2.0 started, EHCI 1.00
[ 1.148519] hub 1-0:1.0: USB hub found
[ 1.152214] hub 1-0:1.0: 1 port detected
[ 1.156695] e0003000.usb supply vbus not found, using du2c: 20 kHz mmio e0005000 irq 144
[ 1.176481] zynq-edac f8006000.memory-controller: ecc not enabled
[ 1.182760] Xilinx Zynq CpuIdle Driver started
[ 1.187808] ledtrig-cpu: registered to indicate activity on CPUs
[ 1.193902] usbcore: registered new interface driver r8188eu
[ 1.200310] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[ 1.206606] nand: Micron MT29F2G08ABAEAWP
[ 1.210572] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 1.218145] nand: WARNING: pl353-nand: the ECC used on your system is too weak compared to the one required by the NAND chip
[ 1.229703] Bad block table found at page 131008, version 0x01
[ 1.235974] Bad block table found at page 130944, version 0x01
[ 1.242082] 11 ofpart partitions found on MTD device pl353-nand
[ 1.247931] Creating 11 MTD partitions on "pl353-nand":
[ 1.253145] 0x000000000000-0x000000780000 : "fsbl"
[ 1.259061] 0x000000780000-0x000000b80000 : "kerneldata"
[ 1.265382] 0x000000b80000-0x000000c00000 : "device-tree"
[ 1.271670] 0x000000c00000-0x000001100000 : "Manufacturedata"
[ 1.278360] 0x000001100000-0x000001600000 : "reserved1"
[ 1.284536] 0x000001600000-0x000003e00000 : "rootfs"
[ 1.290490] 0x000003e00000-0x000004800000 : "firmdata0"
[ 1.296725] 0x000004800000-0x000007000000 : "siglent"
[ 1.302817] 0x000007000000-0x00000d400000 : "datafs"
[ 1.308894] 0x00000d400000-0x00000fc00000 : "upgrade_cramdisk"
[ 1.315820] 0x00000fc00000-0x000010000000 : "reserved2"
[ 1.324034] TCP: cubic registered
[ 1.327276] NET: Registered protocol family 17
[ 1.331716] lib80211: common routines for IEEE802.11 drivers
[ 1.337825] Registering SWP/SWPB emulation handler
[ 1.349593] cramfs_fill_nand blocks is 320-----------------------
[ 1.349593]
[ 1.349593]
[ 1.349593]
[ 1.363081] VFS: Mounted root (cramfs filesystem) readonly on device 31:5.
[ 1.369933] devtmpfs: mounted
[ 1.373116] Freeing unused kernel memory: 192K (40626000 - 40656000)
[ 1.472440] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[ 1.623754] hub 1-1:1.0: USB hub found
[ 1.627935] hub 1-1:1.0: 3 ports detected
Starting rcS...
Mounting filesystem
[ 1.804378] UBI-0: ubi_attach_mtd_dev:attaching mtd8 to ubi0
[ 2.206471] UBI-0: scan_all:scanning is finished
[ 2.218867] UBI-0: ubi_attach_mtd_dev:attached mtd8 (name "datafs", size 100 MiB)
[ 2.226325] UBI-0: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 2.234884] UBI-0: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.243387] UBI-0: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.252052] UBI-0: ubi_attach_mtd_dev:good PEBs: 800, bad PEBs: 0, corrupted PEBs: 0
[ 2.259802] UBI-0: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[ 2.268735] UBI-0: ubi_attach_mtd_dev:max/mean erase counter: 10/4, WL threshold: 4096, image sequence number: 950638423
[ 2.279582] UBI-0: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 800, PEBs reserved for bad PEB handling: 40
[ 2.290534] UBI-0: ubi_thread:background thread "ubi_bgt0d" started, PID 662
[ 2.294871] UBI-1: ubi_attach_mtd_dev:attaching mtd7 to ubi1
[ 2.456155] UBI-1: scan_all:scanning is finished
[ 2.467921] UBI-1: ubi_attach_mtd_dev:attached mtd7 (name "siglent", size 40 MiB)
[ 2.475371] UBI-1: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 2.483930] UBI-1: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.492433] UBI-1: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.501232] UBI-1: ubi_attach_mtd_dev:good PEBs: 320, bad PEBs: 0, corrupted PEBs: 0
[ 2.508958] UBI-1: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[ 2.517855] UBI-1: ubi_attach_mtd_dev:max/mean erase counter: 13/9, WL threshold: 4096, image sequence number: 1819264682
[ 2.528786] UBI-1: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 320, PEBs reserved for bad PEB handling: 40
[ 2.539818] UBI-1: ubi_thread:background thread "ubi_bgt1d" started, PID 666
[ 2.544307] UBI-2: ubi_attach_mtd_dev:attaching mtd6 to ubi2
[ 2.586871] UBI-2: scan_all:scanning is finished
[ 2.597656] UBI-2 warning: print_rsvd_warning: cannot reserve enough PEBs for bad PEB handling, reserved 9, need 40
[ 2.608741] UBI-2: ubi_attach_mtd_dev:attached mtd6 (name "firmdata0", size 10 MiB)
[ 2.616346] UBI-2: ubi_attach_mtd_dev:PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 2.624925] UBI-2: ubi_attach_mtd_dev:min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.633428] UBI-2: ubi_attach_mtd_dev:VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.642096] UBI-2: ubi_attach_mtd_dev:good PEBs: 80, bad PEBs: 0, corrupted PEBs: 0
[ 2.649747] UBI-2: ubi_attach_mtd_dev:user volume: 1, internal volumes: 1, max. volumes count: 128
[ 2.658688] UBI-2: ubi_attach_mtd_dev:max/mean erase counter: 10/6, WL threshold: 4096, image sequence number: 1777018790
[ 2.669646] UBI-2: ubi_attach_mtd_dev:available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 9
[ 2.680416] UBI-2: ubi_thread:background thread "ubi_bgt2d" started, PID 670
[ 2.742578] usb 1-1.2: new high-speed USB device number 3 using ci_hdrc
[ 2.767135] UBIFS: mounted UBI device 1, volume 0, name "siglent", R/O mode
[ 2.774059] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.783150] UBIFS: FS size: 33775616 bytes (32 MiB, 266 LEBs), journal size 4952064 bytes (4 MiB, 39 LEBs)
[ 2.792774] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.797803] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 52ED3690-D3C2-49A9-9055-7EBFF2762FCB, small LPT model
[ 2.874537] UBIFS: mounted UBI device 2, volume 0, name "firm0", R/O mode
[ 2.881260] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 2.890386] UBIFS: FS size: 7237632 bytes (6 MiB, 57 LEBs), journal size 1650688 bytes (1 MiB, 13 LEBs)
[ 2.895761] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[ 2.899916] scsi host0: usb-storage 1-1.2:1.0
[ 2.910329] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 2.915380] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C429C489-76D4-469B-8BFE-043289ABBD0F, small LPT model
[ 2.929148] UBIFS: background thread "ubifs_bgt0_0" started, PID 682
[ 2.960826] UBIFS: recovery needed
[ 3.026853] UBIFS: recovery completed
[ 3.030538] UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[ 3.036487] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 3.045634] UBIFS: FS size: 94597120 bytes (90 MiB, 745 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[ 3.055228] UBIFS: reserved for root: 0 bytes (0 KiB)
[ 3.060251] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C886A817-B838-46DF-AE16-F9920045A7D7, small LPT model
Upgrade start
Configure eth0
Starting mdev
[ 3.893675] scsi 0:0:0:0: Direct-Access Generic Flash-Disk 1.09 PQ: 0 ANSI: 2
[ 3.904053] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 3.909788] sd 0:0:0:0: [sda] 15728640 512-byte logical blocks: (8.05 GB/7.50 GiB)
[ 3.919526] sd 0:0:0:0: [sda] Write Protect is off
[ 3.926123] sd 0:0:0:0: [sda] No Caching mode page found
[ 3.931375] sd 0:0:0:0: [sda] Assuming drive cache: write through
[ 3.945598] sda:
[ 3.953257] sd 0:0:0:0: [sda] Attached SCSI removable disk
[ 4.106171] xilinx-dma 40400000.dma: Probing xilinx axi dma engine...Successful
[ 4.132424] xilinx-vdma 43010000.dma: Xilinx AXI VDMA Engine Driver Probed!!
[ 4.148108] sigdma_init++++++
[ 4.171856] siglentkb probe
[ 4.174840] ##### siglentkb registers 4fc3c580 4fc3e5a4 4fc525b8
[ 4.201999] usbcore: registered new interface driver mt7601u
[ 4.215120] irq = 170
config read
###### Config vdma for wave transform #######
config write
config read
dump s2mm registers
dump mm2s registers
####### done! ########
Config vnc data to memory
Config done!
[ 4.434381] UBIFS: background thread "ubifs_bgt1_0" started, PID 792
ln: /usr/bin/siglent/config/www/web_img/usr: File exists
Starting Lighttpd Web Server: Initializing framebuffer device /dev/fb0...
xres=800, yres=480, xresv=800, yresv=480, xoffs=0, yoffs=0, bpp=16
Initializing touch device /dev/input/event0 ...
Initializing VNC server:
width: 800
height: 480
bpp: 16
port: 5900
Initializing server...
01/01/1970 00:00:04 Listening for VNC connections on TCP port 5900
[ 4.619329] random: lighttpd urandom read with 27 bits of entropy available
lighttpd.
[ 4.757138] UBIFS: background thread "ubifs_bgt1_0" stops
rcS Complete
Processing /etc/profile... Done
/ # [ 5.064577] macb e000b000.ethernet eth0: link up (100/Full)
�[34m[INFO]:�[0mcalibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory
$Task start:: SCPI
$Task start:: Devce
$Task start:: WLAN
vxi11_main = 6861.09
$Task start:: Udisk&Lan
sh: write error: Invalid argument
$Task start:: Vxi11_client
drv_instance_manage_t: produce_id: 13501[ 6.916941] FAT-fs (sda): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
(DRV_PRODUCT_PIKACHU)
_drv_product=4
acq_scal_user = -1.000000
eth0 on
[ 6.984507] device eth0 entered promiscuous mode
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
[ 7.336193] export_store: invalid GPIO 115
sh: write error: Invalid argument
scpi_register_cmd_boardtest
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml not exist
$Task start:: UI
ifconfig: SIOCGIFFLAGS: No such device
$Task start:: awg_thread
mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interrupt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - telnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_thread
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds1000b.app: mempool.h:81: MemoryChunk::~M[ 11.072046] Free all channel resources.
emoryChunk(): Assertion `tempcount==count' failed.
tempcount=0,[ 11.077790] Free all channel resources.
3. Start sds1000b.app commnd
/usr/bin/siglent/sds1000b.app &
[1]- Aborted /usr/bin/siglent/sds1000b.app
/ #
/ # �[34m[INFO]:�[0mcalibrate_t():line=81:calibrate_t::calibrate_t()
product_type SDS1004X_E
mkdir: can't create directory '/usr/bin/siglent/usr/wifi/': File exists
rm: can't remove '/usr/bin/siglent/usr/wifi/wpa_supplicant': No such file or directory
$Task start:: SCPI
route: SIOCADDRT: File exists
$Task start:: Devce
sh: write error: Device or resource busy
sh: write error: Device or resource busy
sh: write error: Device or resource busy
sh: write error: Device or resource busy
vxi11_main = 1.89248e+06
drv_instance_manage_t: produce_id: 13501
(DRV_PRODUCT_PIKACHU)
_drv_product=4
$Task start:: WLAN
$Task start:: Udisk&Lan
acq_scal_user = -1.000000
$Task start:: Vxi11_client
[ 1892.568522] export_store: invalid GPIO 115
sh: write error: Invalid argument
sh: can't create /sys/class/gpio/gpio115/direction: nonexistent directory
sh: can't create /sys/class/gpio/gpio115/value: nonexistent directory
open file %s fail !!!!/usr/bin/siglent/config/arb/2ASK.wav
ready...
ready...
ready...
ready...
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_awg_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_wifi_license.txt
bu_cfg module error:mode-type:/usr/bin/siglent/firmdata0/options_mso_license.txt
scpi_register_cmd_boardtest
ready...
cp: can't stat '/usr/bin/siglent/usr/usr/save_setting.xml': No such file or directory
/usr/bin/siglent/usr/usr/save_setting.xml not exist
$Task start:: UI
mod_if_exit_handler:signal=11
Clean Up Ready!
Clean Up - nlog
Clean Up - Main Thread
Clean Up - scpi
Clean Up - timer
Clean Up - dev_thread
Clean Up - ui
Clean Up - acq_thread
Clean Up - acq_data
Clean Up - draw_wave
Clean Up - bu_cfg
Clean Up - bu_main
Clean Up - bu_app
Clean Up - key
Clean Up - other
Clean Up - usbtmc
Clean Up - VXI_11
Clean Up - dev_interru[ 1894.929648] Free all channel resources.
pt
Clean Up - wlan_manager
Clean Up - power_off
Clean Up - te[ 1894.937666] Free all channel resources.
lnet_scpi
Clean Up - socket_scpi
Clean Up - vxi11_client
Clean Up - Config
Clean Up - sdg_Timer
Clean Up - awg_thread
Clean Up - usbtmc_assistant_interrupt
Clean Up Over!
sds1000b.app: mempool.h:81: MemoryChunk::~MemoryChunk(): Assertion `tempcount==count' failed.
-
So, you can place back the missing files, right?
-
turned out that languages files are on right place. ???
-
Thank you for all this work! I would be interested if anyone really measured the bandwidth after this "upgrade" that merely shows a different Siglent product which is capable of 200MHz. Just seeing a different model name is not really convincing! No one in this forum has posted a sweep up to 200MHz before and after the hack. Could someone please do so to satisfy my curiosity but more importantly the fact that this upgrade indeed is valid?
Thanks
Lutz
-
No one in this forum has posted a sweep up to 200MHz before and after the hack. Could someone please do so to satisfy my curiosity but more importantly the fact that this upgrade indeed is valid?
There are plenty of those validations in the right threads. You just didn't search enough. No need to start over that theme.
-
Indeed, my bad - sorry. I found the validations in a different thread.
Thanks
Lutz
-
I'm a little bit farther with my work:)
Using UART interface there is an option to stop autoboot by taping any key during starting of scope.
Start menu vdma ...
Config AXI VDMA...
Start menu vdma done.
U-Boot 2014.07-svn32760 (Mar 23 2018 - 01:35:12)
Board: Xilinx Zynq
I2C: ready
DRAM: ECC disabled 243 MiB
NAND: 256 MiB
MMC: zynq_sdhci: 0
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
int board_late_init(void)+++++
[INFO]int fb_display_logo(void)++++++++++++
[INFO]pStorageMem=0xfa00000, logo_data=0x200036, width=800, height=480
[INFO]int fb_display_logo(void)----------
int board_late_init(void)-----
Net: Gem.e000b000
Hit any key to stop autoboot: 0
I'm using putty (serial mode) to tapping any key. This giving me access to uboot command line. Using uboot it is possible to read and write NAND memory without any limits.
here is uboot commands list:
zynq-uboot> help
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
bootz - boot Linux zImage image from memory
clk - CLK sub-system
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dfu - Device Firmware Upgrade
dhcp - boot image via network using DHCP/TFTP protocol
echo - echo args to console
editenv - edit environment variable
env - environment handling commands
exit - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls - list files in a directory (default /)
ext4load- load binary file from a Ext4 filesystem
ext4ls - list files in a directory (default /)
ext4write- create a file in the root directory
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
fatwrite- write file into a dos filesystem
fdt - flattened device tree utility commands
fpga - loadable FPGA image support
go - start application at address 'addr'
help - print command description/usage
i2c - I2C sub-system
icache - enable or disable instruction cache
iminfo - print header information for application image
imxtract- extract a part of a multi-image
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loadx - load binary file over serial line (xmodem mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mdio - MDIO utility commands
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
showvar - print local hushshell variables
sleep - delay execution for some time
source - run script from memory
spl - SPL configuration
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
thordown- TIZEN "THOR" downloader
true - do nothing, successfully
usb - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
using it I've updated OS manually. All necessery comands and adresses for uboot are in sds1004x_e_udiskEnv.txt file from official siglent SDS1004X-E_OSV1_EN pack. All need to be done is putting files(uImage, devicetree.dtb, rootfs.cramfs) to USB drive, insert it to scope and mount by command:
usb start
and then flash files to nand by:
if fatload usb 0 0x100000 uImage; then nand erase 0x780000 0x400000;nand write 0x100000 0x780000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
if fatload usb 0 0x100000 devicetree.dtb; then nand erase 0xB80000 0x80000;nand write 0x100000 0xB80000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
if fatload usb 0 0x100000 rootfs.cramfs; then nand erase 0x1600000 0x2800000;nand write 0x100000 0x1600000 ${filesize};mw.b 0x100000 0x0 ${filesize}; fi
I've done it, but my scope still can't start sds1000b.app
Probably the mess is somewhere else. Maybe flash of others files (firmdata0.img, siglent.img, datafs.img) from sds1004x_e_udiskEnv.txt would fix this problem but I don't have them. Seems like this data are included in .ads firmware file. In my case I can't use .ads file before sds1000b.app starting.
In fact I have memdump.bin file with all data inside but I'm scare to erase all NAND content(including uboot) and then flash it because comparinng contents of dump with OS pack files I see some differences: e.g.
begining of uImage file should be on address 0x780000 regarding sds1004x_e_udiskEnv.txt but this content in dump file are started in two points: 0x2080000 and 0x6B7C000
devicetree.dtb:
sds1004x_e_udiskEnv.txt -> 0xB80000
memdump.bin -> 0x2000000 and 0x6AFC000
rootfs.cramfs:
sds1004x_e_udiskEnv.txt -> 0x1600000
memdump.bin -> 0xEA27000
I'm not sure is my logic correct?
-
Probably the mess is somewhere else. Maybe flash of others files (firmdata0.img, siglent.img, datafs.img) from sds1004x_e_udiskEnv.txt would fix this problem but I don't have them. Seems like this data are included in .ads firmware file. In my case I can't use .ads file before sds1000b.app starting.
Don't flash the whole NAND!
You've done a great job. Just continue with it, methodically.
Later today I'll decrypt those .ADS where you can extract the .img files. Then you can flash them individually.
Which was the FW version that you had in the scope?
-
Thanks in advance. I have 6.1.25R2 now.
-
tv84
it works:)
I found "siglent" backup folder and replaced files manually.
After this operation sds1000b.app got up. I updated to .33 version and did trick with language files names using putty serial(it works exactly like a root).
Now it's ok. Scope is fully unlocked with english language.
thanks for help. I hope our conversation can help others also. This serial access to root and uboot is pretty interesting. I'm wondering is this option also on others siglent devices.
-
it works:)
What's the answer to this SCPI command?
MD5_PR?
-
SDS1000X-E
-
So, can you simply update with the latest FW and it will stay in english? Or does it revert to chinese?
Besides the label on the scope box, where do you see the "X-C" reference? (in what screen/menu)
-
No need to start over that theme.
You are absolutely right, there is no need to warm up old stories. To my excuse, I wasn't aware of them. Nonetheless, I am attaching the max. DFT's (direct 50 Ohm BNC-T terminated) of a 50-400MHz sweep from the VCO of a "Geekcreit® Spectrum Analyzer USB LTDZ 35-4400M" from Banggood - before and after the hack. Its an absolute Bobby Dazzler ;D. A different can of worms seems to be the questions of what probes to use now. I know there is tons of material on the EEVBlog forums and comprehensive reviews, so I will find my way.
-
After updating FW language is changing back to Chinese.
I see X-C label on scope info screen with versions.
Also *IND? command return X-C model name.
-
Also *IND? command return X-C model name.
Try this command and report:
MD5_PR SDS1000X-E (you have already told me this one outputs X-E...)
See what is the output of this one:
PROD?
Then do:
PROD SDS1000X-E (or similar)
Show these ones:
LAGG?
LANG?
-
LANG is for scope
LAGG is for AWG
-
I'm not sure that changing model name is possible by SCPI.
PROD?
PROD MODEL,SDS1000X-E,BAND,25MHZ
LAGG?
LAGG CH
LANG?
LANG SC
-
I'm not sure that changing model name is possible by SCPI.
I do not believe so.
It is my recollection the scope calculates its "model" number based on the bandwidth, e.g. a SDS1104X-E with a 200 mhz bandwidth key will show up as a SDS1204X-E in the menus, etc.
-
I'm not sure that changing model name is possible by SCPI.
PROD?
PROD MODEL,SDS1000X-E,BAND,25MHZ
LAGG?
LAGG CH
LANG?
LANG SC
Just try:
LANG EN
I agree that we won't be able to change it with the PRODUCT MODEL as you show with the SCPI responses.
-
I've tried LANG EN, LANG ENG, LANG SE with not effect:(
-
On the latest firmware, they hard coded the language text inside the scope application, with the help files just being a left over. I've not dug into it recently, but it could be as simple as patching the language tree in the application
Other places you can have a look
usr\bin\siglent\config\NSP_trends_config_info.xml
usr\bin\siglent\firmdata0\factory_settings.xml
usr\bin\siglent\usr\user_default_settings.xml
usr\bin\siglent\usr\config\NSP_usr_system_info.xml
usr\bin\siglent\usr\config\temp_settings.xml
usr\bin\siglent\usr\config\save_settings.xml
for the ones that use a numeric language, looks like "2" is english
-
Hi folks,
about a year ago I had the idea to buy this scope and read the thread about patching and hacking it... but I didn't.
Now -- with christmas vacation spare time in mind -- I came back to this idea.
To make my question short: Does everything work with the same hacking instruction as a year ago? Are the actual firmwares safe, or is there a catch? It's much to read and especially over-read in this and the other thread about that topic. And the important parts are well distributed in that large amounts of text.
thank you
Kai
-
Dear Kai, if your question concerns the SDS1104X-E, the bandwidth hack (with model number change to SDS1204X-E) still works perfectly fine. I did mine about a month ago (see also my posts).
Regards, Lutz
-
After updating FW language is changing back to Chinese.
I see X-C label on scope info screen with versions.
Also *IND? command return X-C model name.
update the the X-C model whit X-E's update package will change it to X-E , right?
The capture rate is 400000wfm/s but X-C is 200000wfm/s
-
The codes generated by the python-script (doing it as described in #168) seem to activate the 200MHz correctly, but no other features show up as activated, and instead stay as Trial with a countdown.
I tried to enter all codes at once, then do the reboot.
Then tried one and one, rebooting in between, same result.
Is the script not able to correctly generate the other codes correctly or am I doing it wrong?
-
The codes generated by the python-script (doing it as described in #168) seem to activate the 200MHz correctly, but no other features show up as activated, and instead stay as Trial with a countdown.
I tried to enter all codes at once, then do the reboot.
Then tried one and one, rebooting in between, same result.
Is the script not able to correctly generate the other codes correctly or am I doing it wrong?
Everything is working correctly, have a look at my post below. Did you use the newer (see "update" link inside post from wgoe) Python code? If not, you need to use the serial number instead of the scope id. Also, for the SW options you can't use MCBD. Best way is to type it in the scopes UI as if you bought the upgrade...
Hope this helps.
Lutz
Hi all! I am newbie and I have some questions about updating my SDS1104X-E (Current FW is 6.1.26):
I have done memorydump, but not yet activating wifi, 200 MHz etc.. So should I first upgrade FW to 6.1.33, and next install Plurs .ads file from usbstick? And what is Python file, I can't find it ?
Could someone please send me more detailed instructions on the upgrade via PM?
Thanks
Well, I had my fair share of mishaps, but now I can say with confidence that everything is quiet trivial. Here is what worked for me:
1) I updated to 6.1.33 but as I understood from others you don't have to. All license changes will be persistent after FW changes.
2) Connect your scope to your local network and write down the IP address. You can also use the USB if you don't have LAN, in this case skip to (4).
3) Use IE or other browser from a PC in that LAN simply by the IP address (http://xxx.yyy.zzz.aaa (http://xxx.yyy.zzz.aaa)).
4) Your scope answers you with a web page containing 4 big buttons on the left, push the bottom (SPCI control) one.
5) In the command line enter SCOPEID? and receive your scope ID in the text window below, write it down, remove the dashes.
6) Have your scope's serial number ready. Get it from either your cal sheet or from scope Info button, or finally via SPCI command *IDN? (it returns comma separated model, SN, SW version)
7) Get the updated (!) Python code from here: (The updated link from wgoeo goes to a website that can also run the code).
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.
Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!
8 ) Enter 16 character Scope ID (remove the dashes inbetween!) and the 14 character serial number in the corresponding placeholders of the py-code file.
9) Run the Python code, either on your PC if you have PyCharm or Visual Studio or find an online Python engine where you can paste the patched py code and run it. Most simple is to just run it off the website provided by wgeoe. There you can also paste your ID/SN in.
10) Pick the for the SDS1000X-E relevant keys from the result (100M, 200M, AWG, WIFI, MSO).
11) Go back to the SPCI terminal and install the bandwidth key with MCBD <key> (e.g. MCBD 0123456789ABCDEF). If the key was taken you will see with MCBD?. Then the same key you just entered appears in the result window. Also you can see instantly that the scope has now changed model number. (No scope restart is needed, result is immediate. You even see the change in noise when in the 0.5mV range with nothing connected).
12) Now install the SW options. On the SPCI use LCISL <option> <key> (Option AWG, WIFI, MSO), (e.g. LCISL WIFI 0123456789ABCDE). I used the scope's function to enter the key under Utilities, Options, on one of the pages select one of the three options and press install button to enter the key, scope will answer "License key installed" (make sure the key is correct, I fell victim to my own handwriting and almost gave up until I noticed that I mistook Z for a 2 |O ).
13) Although changes are imminent, for sanity reboot the scope and do a calibration.
14) Congratulations you are done. Don't forget to thank wgoeo and tinhead.
cheers
Lutz
-
Ok, I figured out my error.
On the scope-UI, one must FIRST SELECT TYPE on the left most button before pressing INSTALL-button :)
Well that was...in a way logical...but...yeah...;)
-
Ok, I figured out my error.
On the scope-UI, one must FIRST SELECT TYPE on the left most button before pressing INSTALL-button :)
Well that was...in a way logical...but...yeah...;)
I've go same issue as tjohejsanhopp, 200MHz upgrade went just fine. All other options returning The data is invalid! on scope screen. LCISL command returns Success but options remains trial.
Scope fw is 6.1.33
-
Ok, I figured out my error.
On the scope-UI, one must FIRST SELECT TYPE on the left most button before pressing INSTALL-button :)
Well that was...in a way logical...but...yeah...;)
I've go same issue as tjohejsanhopp, 200MHz upgrade went just fine. All other options returning The data is invalid! on scope screen. LCISL command returns Success but options remains trial.
Scope fw is 6.1.33
Have you tried the scope UI? This should work nonetheless. Check again the key(s) for typos and remember to use the serial number (not the scope ID) to generate them.
-
That was just extra 0 in serial #. All went fine through
-
Hi all, amazing thread, I read every message carefully - great to see the teamwork at play here!
One non-technical question, I spotted a few users having successfully 'upgraded' their scope even after updating the fw to 6.1.33 (which is the very latest).
This implies that Siglent has not implemented a countermeasure to this 'upgrade' - am i missing something? Not that I'm complaining, but I find it curious, to say the least (a quick google search returns this thread when you look for 'most hackable scope' etc).
-
This implies that Siglent has not implemented a countermeasure to this 'upgrade' - am i missing something?
Would you have bought yours if ir wasn't hackable? :popcorn:
Not that I'm complaining, but I find it curious, to say the least (a quick google search returns this thread when you look for 'most hackable scope' etc).
It's a marketing ploy - make the buyers feel clever and like they're getting something for free. Who can resist that feeling?
It also allows them to sell 'scopes for double price to institutional people people who are paranoid about warranties - double win!
PS: It was Rigol who really started this practice. I'm convinced the riglol website is really run by Rigol.
-
Siglents stance on it is, as long as it is not a remote code execution exploit, they have better things to work on,
The earlier SCPI method was a remote command that executed as root with no authentication... so that got patched quickly,
The new method needs physcial access, so much less of a concern. seeing as they are trying to sell these things in schools and businesses.
-
This implies that Siglent has not implemented a countermeasure to this 'upgrade' - am i missing something?
Would you have bought yours if ir wasn't hackable? :popcorn:
Not that I'm complaining, but I find it curious, to say the least (a quick google search returns this thread when you look for 'most hackable scope' etc).
It's a marketing ploy - make the buyers feel clever and like they're getting something for free. Who can resist that feeling?
It also allows them to sell 'scopes for double price to institutional people people who are paranoid about warranties - double win!
PS: It was Rigol who really started this practice. I'm convinced the riglol website is really run by Rigol.
Oh you really think its a business plan for us nerd population? Sounds plausible ...
-
hello everyone, i just want to hack my SDS1204X-E 's AWG, LA, and WIFI license...does anyone here know how to do that? thx before, and i am sorry if it is OOT ;D
-
Quote from: aimc on November 14, 2019, 06:17:49 pm (https://www.eevblog.com/forum/index.php?topic=136445.msg2784554#msg2784554)
...
Thanks for posting this step-by-step summary. Followed it precisely and completed my 1104X-E -> "1204X-E," w/ options unlocked, in ~10 mins.
-
The codes generated by the python-script (doing it as described in #168) seem to activate the 200MHz correctly, but no other features show up as activated, and instead stay as Trial with a countdown.
I tried to enter all codes at once, then do the reboot.
Then tried one and one, rebooting in between, same result.
Is the script not able to correctly generate the other codes correctly or am I doing it wrong?
Everything is working correctly, have a look at my post below. Did you use the newer (see "update" link inside post from wgoe) Python code? If not, you need to use the serial number instead of the scope id. Also, for the SW options you can't use MCBD. Best way is to type it in the scopes UI as if you bought the upgrade...
Hope this helps.
Lutz
Hi all! I am newbie and I have some questions about updating my SDS1104X-E (Current FW is 6.1.26):
I have done memorydump, but not yet activating wifi, 200 MHz etc.. So should I first upgrade FW to 6.1.33, and next install Plurs .ads file from usbstick? And what is Python file, I can't find it ?
Could someone please send me more detailed instructions on the upgrade via PM?
Thanks
Well, I had my fair share of mishaps, but now I can say with confidence that everything is quiet trivial. Here is what worked for me:
1) I updated to 6.1.33 but as I understood from others you don't have to. All license changes will be persistent after FW changes.
2) Connect your scope to your local network and write down the IP address. You can also use the USB if you don't have LAN, in this case skip to (4).
3) Use IE or other browser from a PC in that LAN simply by the IP address (http://xxx.yyy.zzz.aaa (http://xxx.yyy.zzz.aaa)).
4) Your scope answers you with a web page containing 4 big buttons on the left, push the bottom (SPCI control) one.
5) In the command line enter SCOPEID? and receive your scope ID in the text window below, write it down, remove the dashes.
6) Have your scope's serial number ready. Get it from either your cal sheet or from scope Info button, or finally via SPCI command *IDN? (it returns comma separated model, SN, SW version)
7) Get the updated (!) Python code from here: (The updated link from wgoeo goes to a website that can also run the code).
I haven't fully tested this but the output matches the bandwidth keys in reply #89 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2133526/#msg2133526).
Needs Python 3, just replace the serial and run.
Edit: Update (https://repl.it/@wgoeo/siglent-keygen), thanks tinhead!
8 ) Enter 16 character Scope ID (remove the dashes inbetween!) and the 14 character serial number in the corresponding placeholders of the py-code file.
9) Run the Python code, either on your PC if you have PyCharm or Visual Studio or find an online Python engine where you can paste the patched py code and run it. Most simple is to just run it off the website provided by wgeoe. There you can also paste your ID/SN in.
10) Pick the for the SDS1000X-E relevant keys from the result (100M, 200M, AWG, WIFI, MSO).
11) Go back to the SPCI terminal and install the bandwidth key with MCBD <key> (e.g. MCBD 0123456789ABCDEF). If the key was taken you will see with MCBD?. Then the same key you just entered appears in the result window. Also you can see instantly that the scope has now changed model number. (No scope restart is needed, result is immediate. You even see the change in noise when in the 0.5mV range with nothing connected).
12) Now install the SW options. On the SPCI use LCISL <option> <key> (Option AWG, WIFI, MSO), (e.g. LCISL WIFI 0123456789ABCDE). I used the scope's function to enter the key under Utilities, Options, on one of the pages select one of the three options and press install button to enter the key, scope will answer "License key installed" (make sure the key is correct, I fell victim to my own handwriting and almost gave up until I noticed that I mistook Z for a 2 |O ).
13) Although changes are imminent, for sanity reboot the scope and do a calibration.
14) Congratulations you are done. Don't forget to thank wgoeo and tinhead.
cheers
Lutz
lols thx so much everyone... i have finally unlocked them all..hope that siglent won't get angry about this ;D ;D
-
Unlocking 1104x-e to 200 Mhz bandwith ( 1204x-e ) is reversible ? I suppose this voids the warranty ?
-
Unlocking 1104x-e to 200 Mhz bandwith ( 1204x-e ) is reversible ? I suppose this voids the warranty ?
You can reverse to 100MHz. Just use the key for 100MHz. Does not void warranty.
-
I also succeeded finding codes with wgoeo python script (thanks man!!) and later on MCBD ing for 200MHz and introducing codes for MSO / WIFI / AWG directly on scope interface. They seem to be properly set as when pressing the options => Information menu i can not change they appear as permanent licenses.
BUT... i bought a WIFI TPLINK WN725N, the one advertised to be used. After plugging it I am able to manually scan for the Wifi networks, finding those around without hassle. I am able to connect to a wlan and to manually set an ip or to leave it to DHCP. In both cases the scope returns a wlan connected message and shows the wifi wave icon in the bottom down menu. In the dhcp mode it is assigned a proper IP, according to the range defined in the wlan router (so no random IP, but a logical one).
BUT... unfortunately it is not really working. I cannot access the webpage (that i am capable to do so with a wired LAN connection). If i ping it, no answer at all. If i try to use it to connect to my awg emulated server it is not working either.
Therefore, I don't know if it is TPLINK usb interface (there seems to be several versions out there) despite it properly finds wlan's and says "wlan connected" OR if it is an issue with the codes the python script calculated, requiring an extra step
Reading through the entire pages it seems to happen at least to another user.
Regards
-
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.
Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
The very same issue here. I followed a different approach (wgoeo python script). Did you manage to work out a solution?
-
Therefore, I don't know if it is TPLINK usb interface (there seems to be several versions out there) despite it properly finds wlan's and says "wlan connected" OR if it is an issue with the codes the python script calculated, requiring an extra step
If it accepted the licence codes you should be good to go.
The correct dongle is the gold one but I have not heard problems with the other ones. Maybe yours is a copy ?
Just make sure all your WLAN, PW and IP are all correct as it's easy to make a mistake.
Dongle range can sometimes be a problem so move closer to your access point and try again.
-
Yeah. It is the golden plated one. It seems the original one (packaging, instructions and so).
I will check the range suggestion. I will come back to the forum let others users know.
Regards
-
Please tell me I can not get SCOPEID.
SDS2000X-E firmware 1.1.19R2_EN.
I went through the browser to the ip address
In the SCPI field, I execute the SCOPEID command, but in response I get nothing.
SCPI no longer works on new firmware?
How can I find ScopeID
P/S
Everything works ! I entered the command incorrectly
-
are you using SCOPEID? with the question mark?
-
Now that I've unlocked my Siglent 1104X-E to a 1204X-E, what passive probe upgrade do you recommend? Looking to try to keep it under $30 per probe.
-
Now that I've unlocked my Siglent 1104X-E to a 1204X-E, what passive probe upgrade do you recommend? Looking to try to keep it under $30 per probe.
Answered here:
https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2953604/#new (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2953604/#new)
BTW, double posting is frowned upon here.
-
What... I was supposed to find that post amongst all that is the EEVBlog forum? C'mon, man. Thanks for the answer.
-
Hello all!
I am planning on hacking my scope and was curious on what all the other options were from the python script? I tried looking around different threads but I couldn't find explanations. Thanks!
MAX
FLX
CFD
I2S
1553
FG
16LA
-
Hello all!
I am planning on hacking my scope and was curious on what all the other options were from the python script? I tried looking around different threads but I couldn't find explanations. Thanks!
MAX
FLX
CFD
I2S
1553
FG
16LA
Welcome to the forum.
Only 2 are valid options, FG which needs the USB powered AWG HW and LA that also needs the 16ch MSO hardware.
As these share some core programming with other models is the reason you see some options pop out but they aren't applicable to any of the X-E models.
-
Thank you! Excited to be on here! Have been a lurker for a few years now and finally decided to create an account! ;D
I noticed there are several threads hacking the 1104X-E and have different ways to hack it. Some require a USB stick, and others do not. Some ways also require downgrading firmware.
What is the latest / best way? Would either of these two ways work? Thanks for your help!
https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg3014076/#msg3014076 (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg3014076/#msg3014076)
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705)
-
Update:
The method without the memory dump worked great for me. I installed the options manually via the Utility menu. Pretty straight forward. Scope FW: 6.1.33
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705)
Thanks! :D
-
Hello all!
I am planning on hacking my scope and was curious on what all the other options were from the python script? I tried looking around different threads but I couldn't find explanations. Thanks!
MAX
FLX
CFD
I2S
1553
FG
16LA
Welcome to the forum.
Only 2 are valid options, FG which needs the USB powered AWG HW and LA that also needs the 16ch MSO hardware.
As these share some core programming with other models is the reason you see some options pop out but they aren't applicable to any of the X-E models.
thank you,
wich are the differences between MSO and 16LA key?
I used MSO key from option menù and it is ok, but how can I use 16LA?
LCISD <option> <key> doesn't work from SCPI web interface
-
Got my SDS1104X-E today:
software 6.1.35R2
uboot 8.1
fpga 2019-11-15
hw 01-04
python script worked fine, bandwidth "fixed" using web server, options "adjusted" using scope physical buttons.
Thank you all! :-+
-
Good day! How about the rise time after the hacking oscilloscope. Did anyone make a comparison before the hack and after the hack?
-
"How about the rise time"
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1635386/#msg1635386 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1635386/#msg1635386)
-
Hello all,
First and foremost, I'd like to send many *_kudos_* to each and all of you for your fantastic contribution to this forum / thread. I've learned a lot from you guys! :-+ :clap:
Now... My scope is a SDS1104X-E, "fixed" to 200 MHz and with all options permanently activated (I've been using the "memdump" method). Currently it runs the FW 6.1.26. I've played a little with the 6.1.35R2 but I reverted to the 6.1.26 in order to keep the "good old" options...
I also wanted to install the "eevblog" version of the OS (SDS1004X-E_OSV1_EN_eevblog) just to be able to gain telnet acces, and that's where I had to stop. According to the doc, when booting-up with a USB key containig the four files (at the root level) the scope is supposed to automatically begin the upgrade process. Well... mine doesn't do anything, although it does "see" the USB key and its content. And yes, the key is a 32GB, freshly formatted in FAT32.
Am I missing something?
Thanks in advance and best regards,
ZPP
-
I've played a little with the 6.1.35R2 but I reverted to the 6.1.26 in order to keep the "good old" options...
Please explain what is the good old options?
-
For example, being able to use SHELLCMD.
-
For example, being able to use SHELLCMD.
The SCPI command panel in the webserver utility permits running all manner of SCPI commands. Valid, hidden and undocumented.
-
Is it?
Then why, using 6.1.35R2, using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" didn't do anything (while in 6.1.26 it yielded the expected result)?
-
For example, being able to use SHELLCMD.
Why don't you use this (https://www.eevblog.com/forum/testgear/sds1104x-e-hack-to-200mhz-and-full-options/msg2478699/#msg2478699)? :-//
-
You have a valid point, but it shouldn't exclude some other (equally valid) options. My option, for example, was to stick with 6.1.26 (for the time being). I don't think that's a show stopper.
Anyway... my initial post was not about discussing, judging and arguing about _my_ option to keep 6.1.26 - it was about the inability to load "SDS1004X-E_OSV1_EN_eevblog" into my scope. Yet, I _do_ thank you for your advice.
-
In that case let me do a final judgement and argument:
As you seem able to find advantages in downgrading the FW just for having a telnet capability which is also available in my suggestion, I'm sure you will be able to sort the flashing problem.
-
...That wasn't very nice... :(
I'd asked a simple, techical question, hoping that I was talking to very knowledgeable and techically-oriented people... and yet, with my first post, I'm stuck with an ego...
Is it my alias, the fact that I'm a newbie (although I haven't fallen on Earth with the last rain...) in this forum or because I haven't got on my knees at your suggestion that turned on your flamethrower? I respectfully point to you that your suggestion _did not_ answer my question; it only eluded it.
Anyway... thanks for your time...
"- What time does this bus leave?
- Why don't you take the train instead?
- I'd still want to get on this bus...
- If you don't want to take the train, go figure yourself the timetable !"
-
...That wasn't very nice... :(
I'd asked a simple, techical question, hoping that I was talking to very knowledgeable and techically-oriented people... and yet, with my first post, I'm stuck with an ego...
Is it my alias, the fact that I'm a newbie (although I haven't fallen on Earth with the last rain...) in this forum or because I haven't got on my knees at your suggestion that turned on your flamethrower? I respectfully point to you that your suggestion _did not_ answer my question; it only eluded it.
Anyway... thanks for your time...
"- What time does this bus leave?
- Why don't you take the train instead?
- I'd still want to get on this bus...
- If you don't want to take the train, go figure yourself the timetable !"
Try formatting and configuring the USB on a raspberry pi; that's what worked for me with the custom eevblog firmware
-
Thank you for your kind reply.
Unfortunately I don't have a Raspberry Pi, so I can't try your suggestion.
Regards,
ZPP
-
Thank you for your kind reply.
Unfortunately I don't have a Raspberry Pi, so I can't try your suggestion.
Regards,
ZPP
Try making the USB on a different system then 32 bit vs 64 bit, Linux vs Windows, etc)
-
Thank you for this, extremely easy to do and worked :)
Was googling for the WebSock error: [object Event] error on my scope and came across the firmware hack :) updated now have 200mhz & webview works good !!
-
I just bought the SAG1021I with the license file, but I already hacked the MSO part to unlimited, does that mean the SAG1021I will work without my genuine license? (bundle deal was good and I figured why not lol). Or do I have to somehow unhack and install my license. I used the python script method.
-
WGoeo's old passive k-gen script hack confirmed still fully working on a brand new SDS1104X-E
Just note here to save some folks a little time and a few headaches.
I got a brand new SDS1104X-E a-few days back with a recent manufacturing date, ALL the SDS1000 series keys which WGoeo's script generates work just fine.
(I expect on this software/hardware revision that it will always work)
(SW:6.1.35R2 (Release Date 03.07.20) - Uboot: 8.1 - FPGA: 2019-11-15 - HW: 01-04)
Thing is, a few things along the way will likely catch some folks out, so i will detail those below:
* Firstly, when you run the script in rep.it you *must* (it seems) Fork it to run the code with the correct, valid ID & SN actually going thru the compiler (it doesnt seem to compile what it displays if you edit it in your session).
https://repl.it/@wgoeo/siglent-keygen#main.py
When you are done running it in a fork, you can then delete it from your account.
* Secondly, whilst the MCBD command to modify MHz rating of the scope does indeed work in the SCPI terminal over the network, you will need to enter the remaining keys for AWG, WIFI & MSO as below:
Use the Options menu directly on the scope to enter the keys, make sure the key TYPE you are entering is shown on the left softkey before you open the menu. Be SURE to select CAPS mode for entering the key (by intensity adj. scrolling to the end option & clicking), then enter your keys one at a time, changing the type entered in the previous menu as and when needed.
Now everything should show as activated.
Enjoy :)
-
Hi,
Can someone share the file which is not anymore accessible.
https://www45.zippyshare.com/v/SEUJEWE1/file.html
Thanks!
-
Hi,
Can someone share the file which is not anymore accessible.
https://www45.zippyshare.com/v/SEUJEWE1/file.html (https://www45.zippyshare.com/v/SEUJEWE1/file.html)
Thanks!
Protektwar--
The zippy file should still work, I just downloaded it fine.
Anyway, it looks like the newest method of hacking the 1104x-e is here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705)
Good luck!
-
Found - A Known Good Source of Siglent SDS1xx4X-E compatible TP-Link WIFI Dongles.
Just dropping this here to notify that I've found (and tested) a good source of compatible wifi dongles, so if you are having trouble finding them, try this link:
https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569 (https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569)
Currently £7.29 from Picstop in the UK, the packaging style to look out for is as follows below:
(https://i.ibb.co/FwGY1f8/s-l500.jpg) (https://imgbb.com/)
-
Found - A Known Good Source of Siglent SDS1xx4X-E compatible TP-Link WIFI Dongles.
Just dropping this here to notify that I've found (and tested) a good source of compatible wifi dongles, so if you are having trouble finding them, try this link:
TL-WN725N[/b]-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569]https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569 (https://www.ebay.co.uk/itm/TP-Link-[b)
Currently £7.29 from Picstop in the UK, the packaging style to look out for is as follows below:
(https://i.ibb.co/FwGY1f8/s-l500.jpg) (https://imgbb.com/)
:)
Can I point you to this link where you can see this same Pt#: SKU: TL_WN725N
https://siglentna.com/product/usb-wifi-adapter/ (https://siglentna.com/product/usb-wifi-adapter/)
A correction if I may: compatible OEM equivalent. ;)
-
..I do like the way the official photo on Siglent's website shows the dongle with the original, plain 'oem' branding on as well; not noticed that before & it gave me quite the chuckle ;) :)
-
I thought I had tried all the different Scope ID permutations. Looks like I didn't. The one that works is without dashes and leaving any other characters as they are.
For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
- Connect Scope to LAN
- On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
- Either set a static IP address or enable DHCP-Save
- Reboot. If DHCP, use step 2 and get your scope's IP
- Open Web Browser-input the IP address of scope
- SCPI button on left. In the command field: SCOPEID?
(dont forget or miss the ? at the end. it is important) - Copy the ID shown
- Download the python script from wgeon just a few messages before this one
- Open the script in Notepad. Find the line that starts serial =
- Delete everything between the two single quote marks, then place your scope ID there.
NOTE: Your scope ID will probably contain dashes. Remove them. All you want are the the numbers and letters without spaces or dashes or anything else.
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'
Just remove the dashes. Leave the rest alone.
- Run this python script. If you have Python already installed on your computer you can run it locally. Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
- In the 200M line the script will return a key of 16 characters. Copy them.
- Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
Don't include the ()s, just the 16 characters like this: MCBD 0123456789ABCDEF
- Reboot the scope
Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
This method worked great today for my SDS1104X-E with firmware 6.1.5R2.
Here you can see it now reports as a SDS1204X-E.
(http://diver.net/eevblog/siglent_1104X-E_hack/SDS1204X-E_hack_result.jpg)
The rise time measured with my Colby PG1000A pulse generator (250ps rise/fall time) into a 50 Ohm termination decreased from 2.9ns to 1.6ns. Not quite a factor of two, but close.
(http://diver.net/eevblog/siglent_1104X-E_hack/SDS00003.png)
I ran the edited python script on my Mint Linux laptop by typing python3 sds1000xe.py
Many thanks to wgoeo (https://www.eevblog.com/forum/profile/?u=142156) for developing the key producing script (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=793485) and oldcqr (https://www.eevblog.com/forum/profile/?u=609576) for the step-by-step instructions (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705).
Chris
p.s. the 50 Ohm termination I used was the inexpensive one I describe in this video (https://youtu.be/4GyCAe34N0k).
-
I thought I had tried all the different Scope ID permutations. Looks like I didn't. The one that works is without dashes and leaving any other characters as they are.
For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
- Connect Scope to LAN
- On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
- Either set a static IP address or enable DHCP-Save
- Reboot. If DHCP, use step 2 and get your scope's IP
- Open Web Browser-input the IP address of scope
- SCPI button on left. In the command field: SCOPEID?
(dont forget or miss the ? at the end. it is important) - Copy the ID shown
- Download the python script from wgeon just a few messages before this one
- Open the script in Notepad. Find the line that starts serial =
- Delete everything between the two single quote marks, then place your scope ID there.
NOTE: Your scope ID will probably contain dashes. Remove them. All you want are the the numbers and letters without spaces or dashes or anything else.
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'
Just remove the dashes. Leave the rest alone.
- Run this python script. If you have Python already installed on your computer you can run it locally. Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
- In the 200M line the script will return a key of 16 characters. Copy them.
- Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
Don't include the ()s, just the 16 characters like this: MCBD 0123456789ABCDEF
- Reboot the scope
Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
This method worked great today for my SDS1104X-E with firmware 6.1.5R2.
Here you can see it now reports as a SDS1204X-E.
(http://diver.net/eevblog/siglent_1104X-E_hack/SDS1204X-E_hack_result.jpg)
The rise time measured with my Colby PG1000A pulse generator (250ps rise/fall time) into a 50 Ohm termination decreased from 2.9ns to 1.6ns. Not quite a factor of two, but close.
(http://diver.net/eevblog/siglent_1104X-E_hack/SDS00003.png)
I ran the edited python script on my Mint Linux laptop by typing python3 sds1000xe.py
Many thanks to wgoeo (https://www.eevblog.com/forum/profile/?u=142156) for developing the key producing script (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=793485) and oldcqr (https://www.eevblog.com/forum/profile/?u=609576) for the step-by-step instructions (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2649705/#msg2649705).
Chris
p.s. the 50 Ohm termination I used was the inexpensive one I describe in this video (https://youtu.be/4GyCAe34N0k).
This Video is very good for everyone watch who is interested about feed thru with oscilloscope normal 1M / xx pF /xx nH inputs.
Btw, it is possible to make feed thru so that it have bit better impedance for whole scope bandwidth but it is hard work with NVA for adjust special feed thru L and C compensations. Can not do perfect but perhaps good compromise. Then these need label "for use only with this xxxx" ;)
-
Found - A Known Good Source of Siglent SDS1xx4X-E compatible TP-Link WIFI Dongles.
Just dropping this here to notify that I've found (and tested) a good source of compatible wifi dongles, so if you are having trouble finding them, try this link:
TL-WN725N[/b]-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569]https://www.ebay.co.uk/itm/TP-Link-TL-WN725N-150Mbps-Wireless-N-Nano-USB-Adapter-TL-WN725N/224039695569 (https://www.ebay.co.uk/itm/TP-Link-[b)
Currently £7.29 from Picstop in the UK, the packaging style to look out for is as follows below:
(https://i.ibb.co/FwGY1f8/s-l500.jpg) (https://imgbb.com/)
:)
Can I point you to this link where you can see this same Pt#: SKU: TL_WN725N
https://siglentna.com/product/usb-wifi-adapter/ (https://siglentna.com/product/usb-wifi-adapter/)
A correction if I may: compatible OEM equivalent. ;)
Now if only they would fix the firmware so I don't have to change the name of my wifi network in order to use it ;)
-
Hi,
is there a way to change in the script for activating AWG and MSO for a SDS2202X-E?
(I already changed the model string in the script to SDS2202X-E, but as expected this is too easy and not working)
Thank you for any information.
-
Hi,
is there a way to change in the script for activating AWG and MSO for a SDS2202X-E?
(I already changed the model string in the script to SDS2202X-E, but as expected this is too easy and not working)
Thank you for any information.
For what. You still need these hardware. Or do you think you buy HW and then do not need but licenses.
And example for what is FG option. You need exactly SAG1021I what is very limited generator, of course if this is enough then it is naturally ok. If you have SAG1021I and want do BodePlot, it do not need this license at all.
MSO option you can not do any single thing without SBus connected MSO / LA hardware and if you want build it from scratch you perhaps pay more than purchase it from Siglent and loose lot of time. This scope is obsolete before it is ready.
But for success... read more. All is here in forum. But there is not free lounges. ;)
My question was just about... what you do with these licenses if you do not have these hardware. ;)
In trial period you sure can look what these licenses give if you just want know.
-
I know that I need this hardware. And, surprise, I have this hardware, at least the SAG1021I waveform generator. That was the reason for my question :palm:
I use it for Bode plots, (you need no license for Bode plots) but also want to use the full AWG funktion. It is a useful, insulated stimulus source for a lot of measurements. For the rest I have some other waveform generators.
But the hardware + the license together is way too expensive in my opinion, it is not worth 270 Euro together for a 25Mhz waveform generator which only can be used with some Siglent scopes.
Ok, I will read the whole thread and hope that I find a solution for me.
-
I know that I need this hardware. And, surprise, I have this hardware, at least the SAG1021I waveform generator. That was the reason for my question :palm:
I use it for Bode plots, (you need no license for Bode plots) but also want to use the full AWG funktion. It is a useful, insulated stimulus source for a lot of measurements. For the rest I have some other waveform generators.
But the hardware + the license together is way too expensive in my opinion, it is not worth 270 Euro together for a 25Mhz waveform generator which only can be used with some Siglent scopes.
Ok, I will read the whole thread and hope that I find a solution for me.
In this situation... yess... naturally. :)
-
Noob here
I was researching low end DSO's when I came across this thread. Buying a decent 200 Mhz, 4 channel, feature rich DSO for $500 seems too good to pass up. I do require 4 channels.
Unless someone with more experience can suggest another model, I'll order the SDS1104X-E after the Christmas rush and attempt to perform this fix. I do not have Python or a LAN at the moment, so I'll start piecing this together. I may return with questions. An above post mentions a fork. I have no idea what he is referring to :-//
Thanks
-
Unless someone with more experience can suggest another model...
Micsig STO1104C.
It's not 200Mhz but it has a big touch screen and the user interface is easily more than an order of magnitude faster/better than doing everything through a stupid twisty knob. It also runs off battery and has a lot of built-in talents like Wifi and web browser.
(https://www.batronix.com/images/generated/sto1000-hero2-1200x735-White-b.jpg)
-
Noob here
I was researching low end DSO's when I came across this thread. Buying a decent 200 Mhz, 4 channel, feature rich DSO for $500 seems too good to pass up. I do require 4 channels.
Unless someone with more experience can suggest another model, I'll order the SDS1104X-E after the Christmas rush and attempt to perform this fix. I do not have Python or a LAN at the moment, so I'll start piecing this together. I may return with questions. An above post mentions a fork. I have no idea what he is referring to :-//
Thanks
Welcome to the forum.
For ongoing 4ch needs you are best served by a scope with dual ADC's like these 4ch X-E's so to not have low sampling rates with all 4 channels active.
If you don't require 200 MHz maybe the new single ADC SDS1104X-U for just $ 399 could interest you.
Thread about them here:
https://www.eevblog.com/forum/testgear/siglent-1120-new-sds1104x-u-4-channel-100mhz-1gsas-economy-oscilloscope/ (https://www.eevblog.com/forum/testgear/siglent-1120-new-sds1104x-u-4-channel-100mhz-1gsas-economy-oscilloscope/)
-
I really do like the Micsig, a lot. Unfortunately, they don't seem to be well represented here in the US. I'm not sure who will be there for me if warranty issues arise. Plus it's about $200 more.
The one thing that seems to be missing on the Siglent is a force trigger. Am I just not finding it?
-
I really do like the Micsig, a lot. Unfortunately, they don't seem to be well represented here in the US. I'm not sure who will be there for me if warranty issues arise. Plus it's about $200 more.
The one thing that seems to be missing on the Siglent is a force trigger. Am I just not finding it?
Modern Siglents don't have a Force and I've never found any need for it. Stop will let you see the waveform as still where you can make the settings required to get stable triggering.
The most powerful feature of a DSO is its trigger suite and knowing have to use it to best effect is paramount to using a DSO to its potential.
-
I found this in the manual "Note: You can force the oscilloscope to trigger by pressing the Single button
twice. The trigger status in the upper left corner of the screen will be displayed
as "FStop"."
I will use force sometimes to to look at my signal while waiting for a trigger
-
I really do like the Micsig, a lot. Unfortunately, they don't seem to be well represented here in the US. I'm not sure who will be there for me if warranty issues arise.
Fair enough.
Plus it's about $200 more.
:o I hadn't checked over there but here in Europe they're only about 35 Euros more than the Siglent.
-
I contacted Siglent USA. They handle all warranty and repair issues at their Ohio facility. That's a big plus.
They also recommend a 2G memory stick, 4G max.
I'll place my order on Monday
-
Just wanted to say that I got my SDS1104X-E today (12/30/2020), and thanks to the Python script method, got it upgraded to 200 MHz and unlocked all options within 10 minutes of getting it out of the box ;D
Thank you to everyone who's contributed, for the guide and overall very helpful info! ^-^
-
I bought my scope from Amazon over December. It was out of stock there when I ordered and shipped late December. So in theory I should have one of the latest manufactured batches.
Calibration date on my scope is 2020-10-19.
Scope came from the factory with firmware "6.1.35R2".
200Mhz, AWG, MSO and WIFI unlock all worked out of the box.
It took me a few tries to get it to work, so for future visitors:
Use the script attached here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2568012/#msg2568012 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg2568012/#msg2568012)
Note that the linked URL didn't work for me, I had to use the script attached to the post.
I ran it twice. Once using SCOPEID? once using the scope serial number.
The SCOPEID? output for 200Mhz "upgraded" the scope to 1204X-E.
The serial number output for WIFI, AWG & MSO was entered using the scope "install module" option.
-
After some trying I now have enabled all options at my SDS2202X-E with the python script from WGoeo.
Here the modified phyton script for the 2000X-E series:
-----------
import hashlib
serial = 'your serial number'
for opt in ('AWG', 'WIFI', 'MSO'):
h = hashlib.md5((
'5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2'
'wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy' +
'SDS2000X-E\n'.ljust(32, '\x00') +
opt.ljust(5, '\x00') +
2*((serial + '\n').ljust(32, '\x00')) +
'\x00'*16).encode('ascii')
).digest()
key = ''
for b in h:
if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
m = b % 0x24
b = m + (0x57 if m > 9 else 0x30)
if b == 0x30: b = 0x32
if b == 0x31: b = 0x33
if b == 0x6c: b = 0x6d
if b == 0x6f: b = 0x70
key += chr(b)
print('{:4} {}'.format(opt, key.upper()))
---------------
Important: You need the serial number, not the scope ID for this codes!
There is no bandwith hack for the SDS2202X-E, because this is not necessarry. I have this 200Mhz version, but to my surprise the -3dB point is @355MHz (checked with a Tektronix SG 504) with a 50Ohm termination. It seems the only difference between the 200Mhz and 350Mhz models are the probes.
Thank you for all the people here which had made this possible.
-
The Mhz update worked by using the SCPI control.
However I can't get the AWG to update by entering it on the scope.
I also tried SCPI with LCISL AWG 0123456789ABCDE but it doesn't work.
SW:6.1.35R2 (Release Date 03.07.20) - Uboot: 8.1 - FPGA: 2019-11-15 - HW: 01-05
Could this be due to the new hardware version?
-
I also tried SCPI with LCISL AWG 0123456789ABCDE but it doesn't work.
Tried with comma?
-
I also tried SCPI with LCISL AWG 0123456789ABCDE but it doesn't work.
Tried with comma?
Yes, responds with success but no change.
-
Well, using the wrong script, someone said the download version was good but it's a completely different script which only works for the Bandwidth.
Also, didn't work to do via SCPI but worked fine via the options menu on the scope.
This is the complete script:
import hashlib
SCOPEID = '0123456789abcdef'
SN = 'SDSXXXXXXXXXXX'
Model = 'SDS1000X-E'
# 'SDS1000X-E', 'SDS2000X-E', 'SDS2000X+', 'SDS5000X', 'ZODIAC-'
bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M', '250M', '300M', '350M', '500M', '750M', '1000M', 'MAX')
otheropt = ('AWG', 'WIFI', 'MSO', 'FLX', 'CFD', 'I2S', '1553', 'FG', '16LA')
hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'
def gen(x):
h = hashlib.md5((
hashkey +
(Model+'\n').ljust(32, '\x00') +
opt.ljust(5, '\x00') +
2*(((SCOPEID if opt in bwopt else SN) + '\n').ljust(32, '\x00')) +
'\x00'*16).encode('ascii')
).digest()
key = ''
for b in h:
if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
m = b % 0x24
b = m + (0x57 if m > 9 else 0x30)
if b == 0x30: b = 0x32
if b == 0x31: b = 0x33
if b == 0x6c: b = 0x6d
if b == 0x6f: b = 0x70
key += chr(b)
return key.upper()
for opt in bwopt:
print('{:5} {}'.format(opt, gen(SCOPEID)))
for opt in otheropt:
print('{:5} {}'.format(opt, gen(SN)))
-
I thought I had tried all the different Scope ID permutations. Looks like I didn't. The one that works is without dashes and leaving any other characters as they are.
For Bandwidth Upgrade (Worked for me on 8.1.6.1.33):
- Connect Scope to LAN
- On Scope: In Utility menu -> Page (page 2)-I/O-IP Set
- Either set a static IP address or enable DHCP-Save
- Reboot. If DHCP, use step 2 and get your scope's IP
- Open Web Browser-input the IP address of scope
- SCPI button on left. In the command field: SCOPEID?
(dont forget or miss the ? at the end. it is important) - Copy the ID shown
- Download the python script from wgeon just a few messages before this one
- Open the script in Notepad. Find the line that starts serial =
- Delete everything between the two single quote marks, then place your scope ID there.
NOTE: Your scope ID will probably contain dashes. Remove them. All you want are the the numbers and letters without spaces or dashes or anything else.
Example:
If SCOPEID? Returns: 1234-fedc-567b-89a0
then the serial line in the script is:
serial = '1234fedc567b89a0'
Just remove the dashes. Leave the rest alone.
- Run this python script. If you have Python already installed on your computer you can run it locally. Otherwise a quick google search will turn up places to upload/paste the script and run it. (The first link in a Google of 'run python online' works)
- In the 200M line the script will return a key of 16 characters. Copy them.
- Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
Don't include the ()s, just the 16 characters like this: MCBD 0123456789ABCDEF
- Reboot the scope
Thanks for the clues, and I hope these steps spell it out better for the next poor slob :)
I wonder if there is a slight error in the above? I followed your directions until I got to that point, but then I put the ScopeID number in the "SCOPEID = '0123456789abcdef' line and the unit serial number (from the utility page) in the SN="SDSxxxxxxxxxxx" line.
I used the webpage script provided by WGoeo. But I had to fork it to insert my own numbers and run it. I bought this wifi dongle for $10, which is gold coloured, appears to be the correct one and worked perfectly:
https://www.amazon.ca/gp/product/B008IFXQFU (https://www.amazon.ca/gp/product/B008IFXQFU)
Since the unit comes with 30 free tries of the wifi, I just plugged in the dongle and didn't have to go hunt down a network cable to access the SCPI interface.
I unlocked the bandwidth in the SCPI command line and installed the other keys via the control panel.
Prior to unlocking, I used a fast-pulse generator to check the rise time. It was slower than my trusty old hacked DS1052. After the hack, it was dramatically improved, approaching (but not quite meeting) the performance of my ancient Tek 475. But much easier to see in daylight!!!
Firmware is 6.1.35R2, and the calibration certificate suggests it left the factory mid-December. (I had to laugh when I noticed the certificate was signed by "Your Wang" :-DD)
I read through pages and pages of the 2 or 3 different threads on this hack before pulling the trigger and I think my eyes are still bleeding a little bit. My thanks to all that went before, figured this out and shared it. Too many to mention all, but you know who you are!
-
I have discovered that step 14 is not necessary. The scope changes bandwidth immediately on running the MCBD (key) command in the web UI. Not quite as convenient as a panel button or menu option, but with a laptop nearby and the wifi dongle installed, it is a readily available bandwidth limit switch.
For those that are still wondering if the hack really affects bandwidth, here are some screenshots of the signal from a home-made pulse generator I put together when hacking my Rigol DS1052. (all screen shots adjusted to 6 divisions of height, 2 nS/Div) (The pulse generator is directly BNC coupled to the scope input, so no probes involved.)
First, the signal as seen by the unlocked Rigol:
(https://picturehosting.verhey.org/siglint/rigol_DS1052-hacked.bmp)
Now, the same signal seen by a Tek 475, with the bandwidth limiter set to 100MHz:
(https://picturehosting.verhey.org/siglint/tek475_100MHz.JPG)
and finally, as seen by the stock, unhacked SDS1104X-E:
(https://picturehosting.verhey.org/siglint/siglent_SDS1104X-E.png)
But here it is in all it's glory with the Tek 475 set to 200MHz:
(https://picturehosting.verhey.org/siglint/tek475_200MHz.JPG)
And now the one you really wanted to see, the Siglent SDS1104X-E unlocked to think it is a SDS1204X-E:
(https://picturehosting.verhey.org/siglint/siglentSDS1204X-E.png)
Remember, each of these were fine-adjusted to 6 segments of height. This is what happens when I command the Siglent back to 100MHz from the laptop, without rebooting or making any other changes:
(https://picturehosting.verhey.org/siglint/siglentSDS1104X-E_unadjusted.png)
-
Hi,
Fascinating and way over my BW. I do audio . . . with tubes. However I want to buy this Siglent and do the hack as it will probably be the last scope I buy. Data logging and FFT are nice.
Beforehand I checked the downloads to make sure they are still available.
Here's the problem: Zippyshare is loaded with porn, malware links and everything but the software needed. Dazzled by the female body parts, an hour later I noticed this link, https://www45.zippyshare.com/v/SEUJEWE1/file.html, doesn't work.
Is there a work around?, a valid safe place where it's parked?
Thanks
-
No need for download, simply run the python script online.
-
I ran the on-line script, BUT to do so, I had to create a free account and then fork the script. It would not allow me to substitute in my own scopeid and serial number otherwise.
I gather this is something new, put in place because of problems caused by anonymous users.
-
I tried the Python app to increase my SDS1104x-e bandwidth to 200M. The app produced 4 key codes which I then tried on SCPI with the MBCD command. Unfortunately none of the codes worked. I know this as after each try I used the MBCD? command to see if the code was accepted but each time it returned the original 100M key code.
I am not sure if my software version is the cause of this : Software Version: 6.1.35R2
Are there any guys out there that had the bandwidth upgraded with this software version?
:phew:
-
I saw the 1104X-E at amazon today for $449 and pulled the trigger.
https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4 (https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4)
Delivery date is 2/6.
Last scope I will own. My analogue scope is a Hitachi 2ch 35mhz. Nice scope for audio but I want to have capture and be able to do some distortion analysis.
Please forgive me. I don't code and all the acronyms are unrecognizable to me so I may need some tutoring.
Now when you say run the Python code is this the code I downloaded from this thread, reply #24 from TV84, the Easter Egg code or this: * SDS1004X-E_ProMode.zip , or something else. ? It's a long thread.
And as always, I thank everybody on this forum. I would also be happy to find someone to either walk me thru this or have them do it for me all though doing it myself would be a novel experience. I just don't want to screw up a new piece of gear right away.
Thanks
-
Everyone says the fan is noisy.
What fan is recommended to replace the stock fan or will a resistor do the job?
-
Everyone says the fan is noisy.
What fan is recommended to replace the stock fan or will a resistor do the job?
Noise is relative and it worries some and not others.
Replacing the fan with a similar spec Noctua won't noticeably reduce the noise which a customer reported to me today.
Wait until you receive the scope and then decide if it's an issue.
-
Everyone says the fan is noisy.
What fan is recommended to replace the stock fan or will a resistor do the job?
Noise is relative and it worries some and not others.
Replacing the fan with a similar spec Noctua won't noticeably reduce the noise which a customer reported to me today.
Wait until you receive the scope and then decide if it's an issue.
Dang, got this scope in yesterday, and I was literally gonna start looking at what size fan it uses because I have a handful of tiny noctua fans on hand! Guess I'll just skip it then.
Noise is certainly relative, and it's loud enough it bugs me — but my lab is quiet. It's slightly louder than my mini-fridge, which also bugs me, but less loud than my PC's fans at a moderate load on a warm day.
But I tend to not get bugged when I zone in working on something, so I imagine I'll get used to it pretty quickly.
I uploaded a short clip of it to YT here so you can kinda try and get a sense for the sound. I turn the power off at the end so you can hear the level of ambient noise in my room: https://youtu.be/uH3uQ4Qn9dI
-
Everyone says the fan is noisy.
What fan is recommended to replace the stock fan or will a resistor do the job?
Noise is relative and it worries some and not others.
Replacing the fan with a similar spec Noctua won't noticeably reduce the noise which a customer reported to me today.
Wait until you receive the scope and then decide if it's an issue.
Dang, got this scope in yesterday, and I was literally gonna start looking at what size fan it uses because I have a handful of tiny noctua fans on hand! Guess I'll just skip it then.
Noise is certainly relative, and it's loud enough it bugs me — but my lab is quiet. It's slightly louder than my mini-fridge, which also bugs me, but less loud than my PC's fans at a moderate load on a warm day.
But I tend to not get bugged when I zone in working on something, so I imagine I'll get used to it pretty quickly.
I uploaded a short clip of it to YT here so you can kinda try and get a sense for the sound. I turn the power off at the end so you can hear the level of ambient noise in my room: https://youtu.be/uH3uQ4Qn9dI
Welcome to the forum.
Sounds perfectly normal in the vid.
Part of an investigation I cut the metal grille away from the fan however it made no appreciable difference so with the info from a customer that fitted a stock equivalent Noctua fan I believe the only options left are to place a series resistor in the fan lead to slow the fan marginally to a noise level to your liking.
Would I do it.......no !
We already know these scopes have a Quick Cal feature that makes minor adjustments to maintain accuracy while the scope reaches full operation temp with the stock fan and when doing those adjustments it's been reported that minor periods off scope inactivity take place so to mess too much with the stock setup could have unexpected undesirable consequences.
-
I saw the 1104X-E at amazon today for $449 and pulled the trigger.
https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4 (https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_4?dchild=1&keywords=siglent+sds1104x-u&qid=1612242815&sr=8-4)
Delivery date is 2/6.
Last scope I will own. My analogue scope is a Hitachi 2ch 35mhz. Nice scope for audio but I want to have capture and be able to do some distortion analysis.
<snip>
And as always, I thank everybody on this forum. I would also be happy to find someone to either walk me thru this or have them do it for me all though doing it myself would be a novel experience. I just don't want to screw up a new piece of gear right away.
Thanks
Same here, except that I saw it yesterday, fought with myself until this morning, and pulled the cord... It says: Arriving Thursday!!!
Partially off topic, but what type of bnc cable should I get to connect it to my signal generator? I already have at some 50ohm bnc terminators and some bnc 'T' adapters ordered, but just what specs do I need for the cable itself?
-
I tried the Python app to increase my SDS1104x-e bandwidth to 200M. The app produced 4 key codes which I then tried on SCPI with the MBCD command. Unfortunately none of the codes worked. I know this as after each try I used the MBCD? command to see if the code was accepted but each time it returned the original 100M key code.
I am not sure if my software version is the cause of this : Software Version: 6.1.35R2
Are there any guys out there that had the bandwidth upgraded with this software version?
:phew:
I have the same firmware version as you. The MBCD command worked for me. The first time I tried the python script it didn't work. I am pretty sure I had one of the letters as a capital rather than lower case. I just copied the scope id from the SCPI and directly pasted it into python. Just make sure to delete the dashes. Are you are using the link from post #158?
-
Fan is tolerable. Thanks
-
I got my SDS1104X-E the other day, got it upgraded to 200 MHz and unlocked all options with 15 minutes at the computer all as per the advice on this board ;D
Of course, reading the board in the first place from go to whoa took a bit longer ;D
Thank you to everyone who's contributed, for the step by step guide and overall very helpful info! ^-^
-
#168, BIG THX to oldcqr,
this was the only way for me to enable the requested function(s). I got the scope at the 1st of March with firmware/software as described in this post, but it was NOT possible to connect via telnet. Only the way around the Python-Script worked like a charm. I think, that SIGLENT did some "adjustments" within the firm. 8)
-
Hi all,
thanks for this excellent work.
Just bought a SDS1104X-E.
Software Version: 8.1.6.1.35R2
For all that wan't to know if it's still possible, to recover your keys in a case of an emergency (lost receipt etc.): yes!
I can confirm, that using this https://replit.com/@wgoeo/siglent-keygen (https://replit.com/@wgoeo/siglent-keygen) script, which I ran locally on my PC using Python 3.9 interpreter, works like a charm.
Enter in the script header:
- the SCOPE-ID without dashes, spaces etc (just numbers and lowercase letters), which you can obtain via the SCPI web interface using the command > SCOPEID? (without the leading >)
- The SN, which you can see at the web interface of the scope at the start page (connect your scope via LAN or WLAN).
The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.
Using this TP-Link stick will result in a working Wifi:
https://www.tp-link.com/en/home-networking/adapter/tl-wn725n/ (https://www.tp-link.com/en/home-networking/adapter/tl-wn725n/)
It's dirt cheap at .e.g Amazon.
-
The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.
It's dirt cheap at .e.g Amazon.
Just got my 1104x-e today. It is also running firmware 6.1.35R2. This (and the previous python script posted earlier) worked for me, producing keys that unlocked the WiFi, MSO, AWG features.
I had problems with the bandwidth key because originally I did not remove the dash characters from my SCOPEID? output before putting it in the python script. You have to do that. Then and only then will the hash function also produce the correct keys for the bandwidth settings. I actually think it produces the correct keys for the add-on features without SCOPEID at all.
I put an updated-for-2021 step-by-step guide in this blog post (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/).
-
To everyone that said thank you, you are welcome!
Just an update [tl;dr - Now up on latest firmware with all options enabled]
My scope came with 8.1.6.1.33, and a few pages ago (almost 2 years now) I was successful in the update from 100m to 200m. At the time I did not apply any of the other codes.
A few days ago I found the wireless adapter I was pretty sure I needed (https://amzn.to/2TU4hLB). I got it and sure enough, it worked in Demo mode. Perfect. I got the script back out, successfully generated the 3 option keys (using my Serial number, not scope ID). Installed via the UI. All 3 activated without issue. WOO!
I then went ahead and downloaded the latest available firmware from Siglent (the 6.1.35R2 others have talked about), and installed that into the scope. Again no problem and all the options remained activated (along with 200m).
The only weirdness was that the Wireless adapter did not get found after the first reboot. I had to remove the USB adapter, reboot a second time, and then install it. Wireless came back up. I was sweating just a little - but it didn't make sense it worked on the older version and not the new.
As per the release notes, you should perform a self calibrate if you came from 6.1.33 or earlier.
-
Hi 1104X-E users !
I just discovered FW 6.1.37R2 has been issued few weeks ago. This update requires base OS V2 install (I assume it is for new NTP client functionality but I may be wrong).
Anyone had a try with it ? If yes, is there any nasty side effect ?
-
Hi 1104X-E users !
I just discovered FW 6.1.37R2 has been issued few weeks ago. This update requires base OS V2 install (I assume it is for new NTP client functionality but I may be wrong).
Anyone had a try with it ? If yes, is there any nasty side effect ?
I think the OSv2 update is voluntary. The new firmware breaks WiFi though, if you use that.
See more in the regular thread: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3666196/#msg3666196 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3666196/#msg3666196)
Edit: the announcement: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3643876/#msg3643876 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3643876/#msg3643876)
-
Hi,
i received my scope today. It came with Version 6.1.35R2. I downgraded it with the firmware SDS1004X_E_6.1.26.ADS. Strangely the System Information now shows firmware version " 8.1.6.1.26 " and not "6.1.26 " !!!
When I log into the scope via browser, open the scpi window and enter " SCOPEID " into the commend line the response is " Command send success " but no Scope-ID is shown.
What am I doing wrong?
How can I obtain the scope-ID??
Thanx for help
simbea
-
Hi,
i received my scope today. It came with Version 6.1.35R2. I downgraded it with the firmware SDS1004X_E_6.1.26.ADS. Strangely the System Information now shows firmware version " 8.1.6.1.26 " and not "6.1.26 " !!!
When I log into the scope via browser, open the scpi window and enter " SCOPEID " into the commend line the response is " Command send success " but no Scope-ID is shown.
What am I doing wrong?
How can I obtain the scope-ID??
Thanx for help
simbea
Try SCOPEID? with a question mark.
-
I put an updated-for-2021 step-by-step guide in this blog post (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/).
Reading this blog post is highly recommended for users that want to upgrade their SDS1104X-E to a SDS1204X-E. It will save you a lot of time. No firmware downgrade needed, just run a python script to generate the unlock codes for increasing bandwidth or to enable software options.
-
The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.
It's dirt cheap at .e.g Amazon.
Just got my 1104x-e today. It is also running firmware 6.1.35R2. This (and the previous python script posted earlier) worked for me, producing keys that unlocked the WiFi, MSO, AWG features.
I had problems with the bandwidth key because originally I did not remove the dash characters from my SCOPEID? output before putting it in the python script. You have to do that. Then and only then will the hash function also produce the correct keys for the bandwidth settings. I actually think it produces the correct keys for the add-on features without SCOPEID at all.
I put an updated-for-2021 step-by-step guide in this blog post (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/).
Great guide, so much easier to unlock using that Python script than the memory dump method I used...
One suggestion though - in your blog you're saying to enter the AWG/WiFI/MSO codes via the onscreen keyboard and UI - this is very tedious and error prone, it's also possible to enter these codes via SCPI, for example:
LCISL AWG,W543W3ISPY9VBUVM
LCISL WIFI,23INF6KJFIKWMTNZ
LCISL MSO,AS425ISDE39RDHM3
That way it's a simple matter of copying and pasting the codes, so quick and a lot less error prone...
-
Does new firmware V6.1.37R8 break any unlocked features or tplink wifi? Thanks.
-
Does new firmware V6.1.37R8 break any unlocked features or tplink wifi? Thanks.
I updated firmware to V6.1.37R8 and can tell you that it does NOT break unlocked features or tplink wifi. But you do need to re-enter SSID (wifi access point) and PSK (wifi password) in menu Utility => I/O => WiFi Set to get wifi working again. Also I do experience a wifi connection issue (see this message (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg3868202/#msg3868202) for more info), but that was also the case before the FW update.
-
Does new firmware V6.1.37R8 break any unlocked features or tplink wifi? Thanks.
Even if it did you can always roll back to the previous version. Siglent don't seem to impose any restrictions on installing older versions over newer versions. At worst you'll just need to run the calibration again, which you should after any firmware version change anyway.
I'll probably update mine tonight, because why not. ;)
-
My SDS1104X-E arrived yesterday. Firmware 6.1.35R2, hw version 01-05.
I had problems with the python script. I had the following error messages :
"Traceback (most recent call last):
File "keygen.py", line 45, in <module>
print('{:5} {}'.format(opt, gen(SCOPEID)))
File "keygen.py", line 31, in gen
m = b % 0x24
TypeError: not all arguments converted during string formatting"
Because I'm not in software, I was locked in this step. I've seen that my linux distribution (Debian 10.11) had python v. 2.7.16.
So I've tried a recent live linux distribution, the python version was 3.
This solved the problem, and the script was running just fine. I didn't found this information here, so maybe this will help someone.
I've used the step-by-step guide by Jarrod, but for options AWG, WIFI, MSO I've used the SCPI commands suggested by DBMandrake (LCISL AWG,xxxxx).
Now my oscilloscope is upgraded to SDS1204X-E, and all three options are active permanent.
I've ordered the TP-LINK TL-WN725N, N150. I hope it will work.
For the moment I will check the information regarding FW 6.1.37R2, before to update.
Thank you all for sharing the information !
-
Now my oscilloscope is upgraded to SDS1204X-E, and all three options are active permanent.
I've ordered the TP-LINK TL-WN725N, N150. I hope it will work.
For the moment I will check the information regarding FW 6.1.37R2, before to update.
Thank you all for sharing the information !
That's an old version now and V6.1.37R8 and with a V2 OS update is latest.
You can find them all here:
https://int.siglent.com/download/firmwares/?ProId=12
-
That's an old version now and V6.1.37R8 and with a V2 OS update is latest.
You can find them all here:
https://int.siglent.com/download/firmwares/?ProId=12
[/quote]
Thanks for this tip. I have the oscilloscope since few days. I'm still searching for information on this topic regarding the implication of this major upgrade (v2 OS), if the activated options (BW and AWG/WiFI/MSO) will be affected. And if there will be problems, if there is a way to downgrade to V1 OS and 6.1.35R2 firmware.
In the mean time I have installed TP-LINK TL-WN725N, N150, v3 (golden version) and the link is stable with the present configuration - 6.1.35R2 firmware. The driver used in linux it seems to be r8188eu, Realtek.
-
That's an old version now and V6.1.37R8 and with a V2 OS update is latest.
You can find them all here:
https://int.siglent.com/download/firmwares/?ProId=12
Thanks for this tip. I have the oscilloscope since few days. I'm still searching for information on this topic regarding the implication of this major upgrade (v2 OS), if the activated options (BW and AWG/WiFI/MSO) will be affected. And if there will be problems, if there is a way to downgrade to V1 OS and 6.1.35R2 firmware.
In the mean time I have installed TP-LINK TL-WN725N, N150, v3 (golden version) and the link is stable with the present configuration - 6.1.35R2 firmware.
Never heard of valid options being compromised by updates in Siglents.
Upgrade with confidence is my advice otherwise there are valuable improvements you are missing out on.
-
That's an old version now and V6.1.37R8 and with a V2 OS update is latest.
You can find them all here:
https://int.siglent.com/download/firmwares/?ProId=12
Thanks for this tip. I have the oscilloscope since few days. I'm still searching for information on this topic regarding the implication of this major upgrade (v2 OS), if the activated options (BW and AWG/WiFI/MSO) will be affected. And if there will be problems, if there is a way to downgrade to V1 OS and 6.1.35R2 firmware.
In the mean time I have installed TP-LINK TL-WN725N, N150, v3 (golden version) and the link is stable with the present configuration - 6.1.35R2 firmware.
Never heard of valid options being compromised by updates in Siglents.
Upgrade with confidence is my advice otherwise there are valuable improvements you are missing out on.
Thank you tautech for advice.
I have updated the OS to v2 (Uboot-OS version 8.2), and firmware to v6.1.37R8. The FPGA version is now 2021-11-08 (from 2019-11-15 in the previous firmware 35R2).
All the options are still active.
Wifi is still working with TP-LINK TL-WN725N, N150, v3. But the link is much slower than LAN. No problem for me, I will use LAN. Wifi for just in case.
-
@core Are you still able to telnet in as root, after upgrading the OS to v2?
-
@core Are you still able to telnet in as root, after upgrading the OS to v2?
I didn't used telnet in order to activate options. Only the python script.
In this stage the following ports are opened :
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
5900/tcp open vnc
I can test the telnet, but I can't find the telnet.ADS file in forum. Send me the link to file and I will test.
-
@core I had assumed you used the custom OS file, linked to earlier in this thread, that sets the telnet password to a known string, that then allows you access on port 23.
Apologies if that was not the method you used, and disregard my question.
However if anyone else knows the answer, that would be great. I was about to upgrade, but I would assume since the telnet password is included in the OS file, which is then presumably overwritten by the OSv2 upgrade, that we would lose root access on port 23. (And we dont have access via SCPI "shellcmd telnetd" anymore either if we upgraded the firmware file I believe)
-
@core I had assumed you used the custom OS file, linked to earlier in this thread, that sets the telnet password to a known string, that then allows you access on port 23.
I see. I don't need access to port 23 for what I need from this oscilloscope.
for nmap -sS only those 3 ports are opened
So I'm pretty sure that if you have a custom OS V1, you will need a custom V2.
-
I ran the script on a new SDS1104x-e tonight. I don't feel too guilty as one of the 4 probes arrived NF. The software version is 6.1.35R2, OS 8.1 FPGA 2019-11-15. I'll have to check if this is the latest. My settings report SDS1204X-E.
Questions: 1) Has anyone plugged Leo's pulser into it before/after the change to 200M?
2) Does the Siglent arb SDG1032x work with the Bode plot and can it be bumped up to the next (or higher) version as well? I think the answer
to working is yes, and I thought I saw a way to open it up.
Thanks
Jerry
-
I ran the script on a new SDS1104x-e tonight. I don't feel too guilty as one of the 4 probes arrived NF. The software version is 6.1.35R2, OS 8.1 FPGA 2019-11-15. I'll have to check if this is the latest. My settings report SDS1204X-E.
Questions: 1) Has anyone plugged Leo's pulser into it before/after the change to 200M?
2) Does the Siglent arb SDG1032x work with the Bode plot and can it be bumped up to the next (or higher) version as well? I think the answer
to working is yes, and I thought I saw a way to open it up.
Thanks
Jerry
1. Can do on a SDS1104X-E if you're interested.
2. All Siglent AWG's interface seamlessly with any Siglent DSO capable of Bode plot.
USB is the simplest but they can interface via LAN also.
SDG1000X models have a max of 60 MHz otherwise you need go to SDG2000X models to get to the max Bode plot frequency of 120 MHz.
-
Mr. Tau,
I have Leo's pulser, I was just wondering if there was a comparison someplace that I could benchmark against.
If I want to go faster than the 1062, I have all kinds of HP generators and will have to figure out how the bode works and controls them. I saw in another thread that someone figured out how to cycle through a PC to then, I assume, use GPIB to interface to an HP generator. Before seeing that I was thinking i would hack the USB output as I've done a lot of that using STM32F7 boards.
This isnt the thread to go on about it, but I really love the display on this scope. It reminds me of the Agilents a few years ago. My 4th probe arrived bad but otherwise, all seems fine.
Jerry
ps: I grabbed my pulser that I've measured at 28ps on my 11801c and the mod'ed 1104 displays 1.67ns.
-
Mr. Tau,
I have Leo's pulser, I was just wondering if there was a comparison someplace that I could benchmark against.
I've got one too. :)
I grabbed my pulser that I've measured at 28ps on my 11801c and the mod'ed 1104 displays 1.67ns.
Stock standard SDS1104X-E SN#0014
Leo's pulser using 50 Ohm feedthrough.
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1378138)
Claim warranty on that dud probe !
We test every one and recently they've very good so it's probably nearly a year since we replaced one.
Does yours have a oo marking near the 1x/10x switch ? These are the more recent versions of PP510.
-
Tau - all the probes have 00 on them. Center conductor was open.
Another question, is it ok to upgrade the firmware after the mod and if so, which version is used? I would think it is ok as the codes were generated and input.
-
By the way, Amazon, in their infinite wisdom, can't send me just another probe, but an entire scope :-BROKE. So I'll pull the probe out of the box, put a note in it, and return it. Seems like a shame that they can't then sell it as new. I was sort of hoping they would say, "don't bother returning the old scope."
-
Tau - all the probes have 00 on them. Center conductor was open.
Another question, is it ok to upgrade the firmware after the mod and if so, which version is used? I would think it is ok as the codes were generated and input.
Depending on what's already installed it might need the new V2 OS and the latest FW version.
You can find them here:
https://int.siglent.com/download/firmwares/?ProId=12
Don't worry about mods, the codes installed are the same as official ones.
By the way, Amazon, in their infinite wisdom, can't send me just another probe, but an entire scope :-BROKE. So I'll pull the probe out of the box, put a note in it, and return it. Seems like a shame that they can't then sell it as new. I was sort of hoping they would say, "don't bother returning the old scope."
Muppets. |O
Typical box shifter mentality. :horse:
What happens if you get another with a dicky probe ?
Unlikely I know but the reason I wouldn't deal with such crowds as proper support is something they have no knowledge of. ::)
-
Hi gang, looooonnnnggg time lurker, first post.
GREAT Thread for this O'scope and the tangents on the probes.
Bought the SDS1104X-E not too long ago cause my trusty old analog bench Leader scope died (nothing like the warmth of an old CRT trace at night and a Simpson 260 :bullshit:).
Became scope-less when my daughter hi-jacked my Fluke Field scope for a project in her final semester.
Just wanted to drop in and say thank you. Great threads.
The python script worked perfect , 200mhz and wifi :-+ :-+
-
Hi gang, looooonnnnggg time lurker, first post.
GREAT Thread for this O'scope and the tangents on the probes.
Bought the SDS1104X-E not too long ago cause my trusty old analog bench Leader scope died (nothing like the warmth of an old CRT trace at night and a Simpson 260 :bullshit:).
Became scope-less when my daughter hi-jacked my Fluke Field scope for a project in her final semester.
Just wanted to drop in and say thank you. Great threads.
The python script worked perfect , 200mhz and wifi :-+ :-+
Welcome to the forum.
Much respect for letting the daughter pinch your last working scope to finish her studies. :-+
However the worry is what you have to do to get it back ? :scared:
Does she need all the bells and whistles of the X-E or would the cheaper X-U be sufficient ?
-
Hi gang, looooonnnnggg time lurker, first post.
GREAT Thread for this O'scope and the tangents on the probes.
Bought the SDS1104X-E not too long ago cause my trusty old analog bench Leader scope died (nothing like the warmth of an old CRT trace at night and a Simpson 260 :bullshit:).
Became scope-less when my daughter hi-jacked my Fluke Field scope for a project in her final semester.
Just wanted to drop in and say thank you. Great threads.
The python script worked perfect , 200mhz and wifi :-+ :-+
Welcome to the forum.
Much respect for letting the daughter pinch your last working scope to finish her studies. :-+
However the worry is what you have to do to get it back ? :scared:
Does she need all the bells and whistles of the X-E or would the cheaper X-U be sufficient ?
Thank you.
The TP-LINK WIFI dongle TL-WN725N just arrived today. While amazon showed the gold version it was the silver that arrived. Stopped clanking the keys on the keyboard (work) and ran down to my lab, it plugged and played and on my wifi no problem. :-+
LOL --- I don't think she'll need all the Bs&Ws.
She's heading off more into metallurgy and related due to her internship in the particular dept she's in over the last 2 years, and the job they have waiting for her.
She's been loving the work.
I would guess she got the tinkering from me.
She studied for her Tech ticket when I was studying for my Extra ticket, we tested during the same session, both passed. School took over for her, so she didn't study or go for her General yet.
So I could see using it at a hobby level for her maybe.
We'll see for her next Birthday what she wants ( a couple of months before graduating this year)(finally a degree she'll stick with and loves the work. It's her 3rd).
We could spring for a lesser model for a BD of Xmas gift. I need my Fluke field scope back for work.
But with her moving out (again) some time after she goes full time, I'd guess her priorities might change, never mind space and access to my "lab" (basement pile of crap per the wifey).
I don't think I need all the bells and whistles either. After 40+ years in the biz, this scope is smarter than I.
The bode plot would have been sweet back in the day for the loop analysis work.
We use to have $20K of equipment on a cart to do the same thing, with an ink pen plotter and dot matrix printer! (yea I'm old).
And one $6K dual channel HP DSO to share amongst my EEs in my lab, that they played Tetris on after the rep showed them how to bring it up.
Every one had a Leader dual chn 30mhz scope for daily work. DSO was a shared asset.
These China scopes are amazing for the price.
-
I downloaded the custom OS V1 with the special root password, but now I am wondering whether OS V2 could also be made available with this password. OS V2 has Network Time Protocol and Data Logging capabilities.
-
I downloaded the custom OS V1 with the special root password, but now I am wondering whether OS V2 could also be made available with this password. OS V2 has Network Time Protocol and Data Logging capabilities.
I made a new telnet-enabled rootfs based on the v2 OS from Siglent. You can install it the usual way. Until you set a password, telnet will work without one. You can set a password by running the /etc/homebrew/passwd.sh script, but be careful, resetting the password isn't straightforward.
Download link: https://www104.zippyshare.com/v/jr8ORjtS/file.html (https://www104.zippyshare.com/v/jr8ORjtS/file.html)
I've also included a diff showing all the changes I've made, so they can be easily ported to newer OS images.
-
SDS1104E-X/SDS1204X-E
Software 6.1.37R8
OS 8.2 (V2)
After much reading and rereading this thread and other related threads, I finally took the leap. Had to learn what "python" is, how to "run" a script, and then how to enter the codes, but step-by-step it worked. Followed the instructions in https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/, (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/,) and ran the linked "pastebin" script with an online utility (https://www.programiz.com/python-programming/online-compiler/ (https://www.programiz.com/python-programming/online-compiler/))
I entered the 200M code via the connected computer UI, and the other three codes using the scope utility, one by one. Not too bad, and took only a few minutes. Amazing!
Many thanks all the previous posters that provided the ideas, tools, and incentive.
-
Official options are always in lowercase. ;)
-
deleted my previous post where I was having problems unlocking the options as I figured out my error. It was a problem caused by a newer feature in MacOS and me not double-checking things carefully enough.
For those interested...
MacOS Monterey 12.2 has a feature called "live text". It allows you to select, capture, copy and paste text that was in an image. I captured screenshots from the scopes wifi server that listed the SN. Selected it, copied it, and pasted it.
It captured almost all the data correctly, but for some reason was transcribing an "F" in the serial number as an "E", and generating the wrong codes because of that. Cut and paste in general tends to introduce fewer errors than transcribing data manually, but not in this case! Sorry I didn't spot it sooner...
-
Hey Friends, I've just got my SDS 1104X-E and it came with 8.1.6.1.25 R2 Firmware version. I'm kind of lost which steps should I follow to upgrade it to 200 MHz. If you can point me out that'd be great. Thanks! Also https://www.makermatrix.com/ (https://www.makermatrix.com/) is down.
-
Should your still be in need of instructions, I can point you in the right direction after getting back from work.
I've done it for my own scope and it worked a treat. It's rather straightforward thanks to a handy python script that does all the heavy lifting for you. My thanks to the author, by the way.
-
Hey Friends, I've just got my SDS 1104X-E and it came with 8.1.6.1.25 R2 Firmware version. I'm kind of lost which steps should I follow to upgrade it to 200 MHz. If you can point me out that'd be great. Thanks! Also https://www.makermatrix.com/ (https://www.makermatrix.com/) is down.
Should your still be in need of instructions, I can point you in the right direction after getting back from work.
I've done it for my own scope and it worked a treat. It's rather straightforward thanks to a handy python script that does all the heavy lifting for you. My thanks to the author, by the way.
I clipped notes took from this thread. It all worked for me.
The heavy lifting of making it all happen is of the folks smarter than I of this thread. (thx!)
Again, just my notes taken from the thread.
Worked so well, bought a 2nd scope... great sales tool..
(Sorry to the OG posters of the content, I copied and pasted txt to note pad, but never took notes of the poster, just the content)..
breaking out important links:
https://replit.com/@wgoeo/siglent-keygen (https://replit.com/@wgoeo/siglent-keygen)
https://www.programiz.com/python-programming/online-compiler/ (https://www.programiz.com/python-programming/online-compiler/)
WIFI module that worked for me..
https://www.amazon.com/gp/product/B008IFXQFU/ref (https://www.amazon.com/gp/product/B008IFXQFU/ref)
clipped
-------------
Hi all,
thanks for this excellent work.
Just bought a SDS1104X-E.
Software Version: 8.1.6.1.35R2
For all that wan't to know if it's still possible, to recover your keys in a case of an emergency (lost receipt etc.): yes!
I can confirm, that using this https://replit.com/@wgoeo/siglent-keygen (https://replit.com/@wgoeo/siglent-keygen) script, which I ran locally on my PC using Python 3.9 interpreter, works like a charm.
Enter in the script header:
- the SCOPE-ID without dashes, spaces etc (just numbers and lowercase letters), which you can obtain via the SCPI web interface using the command > SCOPEID? (without the leading >)
- The SN, which you can see at the web interface of the scope at the start page (connect your scope via LAN or WLAN).
The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.
Using this TP-Link stick will result in a working Wifi:
https://www.tp-link.com/en/home-networking/adapter/tl-wn725n/ (https://www.tp-link.com/en/home-networking/adapter/tl-wn725n/)
---------------
clipped
-------------
In the 200M line the script will return a key of 16 characters. Copy them.
Back in the web browser on the web page for the scope, in the SCPI command enter:MCBD (key)
Don't include the ()s, just the 16 characters like this: MCBD 0123456789ABCDEF
MCBD YS97TM3YVEUFICEC
The 200M option needs to be entered via the SCPI web interfaces using the command > MCBD XXXXYYYYYY (without the leading > and XXXXYYYYYY being the output of the above python script in the line starting with "200M")
The other options (AWG; WIFI, MSO) need to entered via the UI of the scope. Printing them out like this AAAA BBB CCCC DDDD make life a lot easier, since you need to enter them in blocks of 4.
8 ) Enter 16 character Scope ID (remove the dashes inbetween!) and the 14 character serial number in the corresponding placeholders of the py-code file.
9) Run the Python code, either on your PC if you have PyCharm or Visual Studio or find an online Python engine where you can paste the patched py code and run it. Most simple is to just run it off the website provided by wgeoe. There you can also paste your ID/SN in.
10) Pick the for the SDS1000X-E relevant keys from the result (100M, 200M, AWG, WIFI, MSO).
11) Go back to the SPCI terminal and install the bandwidth key with MCBD <key> (e.g. MCBD 0123456789ABCDEF). If the key was taken you will see with MCBD?. Then the same key you just entered appears in the result window. Also you can see instantly that the scope has now changed model number. (No scope restart is needed, result is immediate. You even see the change in noise when in the 0.5mV range with nothing connected).
12) Now install the SW options. On the SPCI use LCISL <option> <key> (Option AWG, WIFI, MSO), (e.g. LCISL WIFI 0123456789ABCDE). I used the scope's function to enter the key under Utilities, Options, on one of the pages select one of the three options and press install button to enter the key, scope will answer "License key installed" (make sure the key is correct, I fell victim to my own handwriting and almost gave up until I noticed that I mistook Z for a 2 |O ).
13) Although changes are imminent, for sanity reboot the scope and do a calibration.
14) Congratulations you are done. Don't forget to thank wgoeo and tinhead
-----------
-
Hi all, my Siglent 1104X-E has been unlocked to a 1204X-E with all options enabled (AWG, USB WIFI & MSO). Currently running 6.1.35R2 and I suspect OS V1.
I can see Siglent has released FW 6.1.37R8 and OS V2 now. Can I upgrade to these without losing the unlocks? Or if I do loose them, is it possible to get them back with the simple python script as before? Anyone tried this?
-
I unlocked it in OS V1, updated, OS included (to V2) and everything is hunky dory. It works just fine.
-
Thank you to those involved in the development of this unlock. I received my scope with FW: 6.1.37R2 running on OSv1. I hooked it up to my network and went to the webpage and SCPI to get my SCOPEID and the launch screen for my SN. I input those two things into the python script that is provided in this thread and ran it locally to get my codes. Then entered all of them in the SCPI screen to change to 200mhz and enable the three options. Below are the exact things I put into the web interface with my specific codes. I also made a file with all of these including going back to 100mhz if for some reason I need to do that.
MCBD NP2MQ3463XTPDPWG
LCISL AWG,7IPMGKP38ADU236K
LCISL WIFI,7ZMAMJGX62KP78FP
LCISL MSO,5XJHUPM33NB84IX3
I couldn't get the wifi to work on this OS and FW combo that it came with. I first updated the OS to v2 then the FW to 6.1.37R8 and did the calibration after which the wifi started to work. Before when I tried to move to WLAN it would just beep and not change even though it saw the wifi dongle.
-
I see that there is an option to return to 100Mhz if needed. Similarly, is it also possible to disable the other options (WiFI, AWG, MSO) ? Basically, a way to do a "factory reset" in case I want to claim warrant or something ?
-
AFAIR, there is a SCPI command to wipe the licenses. I think it is in the forum, somewhere.
-
BTW, the software version on my scope is 6.1.37R8 and "Uboot-OS Version" is 8.3
3 ? On the Siglent site, I see that the latest OS version available is 2 ? ??? ???
-
AFAIR, there is a SCPI command to wipe the licenses. I think it is in the forum, somewhere.
After a lot of searching, I found 2 probable ways of doing this :
1) https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1870769/#msg1870769 (https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1870769/#msg1870769)
To revert the scope back to the previous bandwidth license, and to remove the optional licenses, you execute the following script after logging in via a telnet session as root:
mount -o remount,rw /usr/bin/siglent/firmdata0
rm /usr/bin/siglent/firmdata0/options*
cat VVVVVVVVVVVVVVVV > /usr/bin/siglent/firmdata0/bandwidth.txt
(control-d)(control-d)
sync
reboot
2) https://www.eevblog.com/forum/testgear/siglent-ssa3000x-spectrum-analyzers/msg3085468/#msg3085468 (https://www.eevblog.com/forum/testgear/siglent-ssa3000x-spectrum-analyzers/msg3085468/#msg3085468)
Interesting :-\
Yeah, the name hack is nothing
- change in NSP_trends_config_info
- I think you are correct it simply modifies some internal tag but nothing in the base software, as there are other snags which revert to the SSA
The serial number is also a problem
- easy way is to use the SCPI :SRLN <serial_num> command.
- This works , but it will wipe your license settings.
Not sure if there is a proper license number 'fix' which does not screw with the system??
- not a fan of doing temp paches which are prone to failure
These two things are certainly challenging - short of patching hex files (not recommended) would be great to have a nice solution that does not get wiped with FW updates.
Option 1 would require me to find out a way to get root access and Option 2 is not exactly in the context of the SDS1104X-E. Is there something that I missed? :)
-
Just a small tip as to how to get root access the easiest on the SDS1104X-E
This works on the latest Uboot 8.3 and 6.1.37R9 firmware
Simply put the two scripts I attached on the root of your USB stick, the scope will automatically open up a root telnet on port 9999 while booting.
When in telnet, you can use the remount.sh script to change the USB from r/o to r/w.
Don't forget to remove the file after playing around, we don't want exposed root shells on the network!
But to cover myself, I of course take no responsibility for any damage that may occur to the user or the scope by using my script.
I hope this can help some people who didn't have success flashing a custom Uboot ^^
-
Just a small tip as to how to get root access the easiest on the SDS1104X-E
This works on the latest Uboot 8.3 and 6.1.37R9 firmware
Simply put the two scripts I attached on the root of your USB stick, the scope will automatically open up a root telnet on port 9999 while booting.
When in telnet, you can use the remount.sh script to change the USB from r/o to r/w.
Don't forget to remove the file after playing around, we don't want exposed root shells on the network!
But to cover myself, I of course take no responsibility for any damage that may occur to the user or the scope by using my script.
I hope this can help some people who didn't have success flashing a custom Uboot ^^
When did you buy your scope? The Uboot 8.3 isn't available online (only 8.2 is) but I think another member here mentioned the 8.3
I wonder what are the differences between 8.2 and 8.3 and why they don't release it...
-
It was bought in June 2022, Hardware Version 09-06.
Regardless of that, the script I posted should work on all versions of the scope though ^^
-
The Uboot 8.3 isn't available online (only 8.2 is) but I think another member here mentioned the 8.3
I wonder what are the differences between 8.2 and 8.3 and why they don't release it...
Yes, I mentioned 8.3 (HW version 01-05):
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1535512;image)
Bought it last june the 21st. I have no idea about differences between 8.2 and 8.3 ::)
Now it's running 6.1.37R9 firmware.
-
Hello all
I see there’s an R9 version now available and OS 8.3. Am I safe to assume that it’s ok to upgrade my hacked 1104 without losing the extra features?
Thanks!
-
Hello all
I see there’s an R9 version now available and OS 8.3. Am I safe to assume that it’s ok to upgrade my hacked 1104 without losing the extra features?
Thanks!
I don't think it's commercially available. At least not here:
https://www.siglenteu.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series (https://www.siglenteu.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series)
-
Hello all
I see there’s an R9 version now available and OS 8.3. Am I safe to assume that it’s ok to upgrade my hacked 1104 without losing the extra features?
Thanks!
OS 8.3 is not yet publicly available although it came already installed in my recently acquired SDS1104X-E along with V6.1.37R8. On the other hand, R9 is available for download. I have installed R9 and my previous hacks (all ::) ) are OK.
Unfortunately there are still some bugs (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg4282900/#msg4282900) lying 'round!
[EDIT: wrong scope model number! :-[ ]
-
interesting!
It was posted on another thread! :)
https://www.eevblog.com/forum/testgear/wifi-interference-on-siglent-oscilloscope/msg4340188/#msg4340188 (https://www.eevblog.com/forum/testgear/wifi-interference-on-siglent-oscilloscope/msg4340188/#msg4340188)
Looks like this is necessary for latest HW revisions
1. Fixed the problem: The skew of the two ADCs is not accuracy for hardware of 09 version (System Status shows Hardware Version: 09-xx). The other hardware version has no this problem.
-
SDS1104E-X/SDS1204X-E
Firmware 6.1.37R8 6.1.37R9
OS 8.2 (V2)
Just updated to Firmware V6.1.37R9. I had activated the options back in February (reply #332 above) and was also concerned about the impact of doing the update. The only effect I found was the WiFi and NTP had been turned off and I had to manually enter the WLAN data again to re-establish the connection.
Very appreciative of this great forum.
-
Got my SDS1104X-E today and had it fully hacked in 12 minutes!
Thank all of you that participated in doing the research on this and sharing the information to make this possible.
It was interesting to read through this thread and see the evolution of the process. Started out fairly complex and ended up a breeze.
Awesome!
I love the web server. This is truly a pretty good scope for the price.
Thanks again guys!
Oh, BTW mine is:
OS - 8.3
SV - 6.1.37R8
-
Does anyone have another link to file SDS1004X-E_OSV1_EN_eevblog.zip when I go to the link I just get hammered with a whole lot of scam and porn and it want me install a lot of crap I have tried several times with same result
-
Does anyone have another link to file SDS1004X-E_OSV1_EN_eevblog.zip when I go to the link I just get hammered with a whole lot of scam and porn and it want me install a lot of crap I have tried several times with same result
. (https://app.box.com/s/j5lcyyhvfd6juysbsv7a61y717sp75ux)
-
Does anyone have another link to file SDS1004X-E_OSV1_EN_eevblog.zip when I go to the link I just get hammered with a whole lot of scam and porn and it want me install a lot of crap I have tried several times with same result
Quite difficult to understand why any people want upload any these kind of things to this kind of shitboxes
-
Why would anyone even want to download them?
-
OK, so i just bought this based on your comment!. Now I need help to find the easiest instructions you pointed to without having to go through 914 posts. Could you please tell me?
Cheers
-
OK, so i just bought this based on your comment!. Now I need help to find the easiest instructions you pointed to without having to go through 914 posts. Could you please tell me?
Cheers
You don't have to look far. There is a detailed post on the previous page with all the steps you need to generate keys and use them.
-
It looks like LCISL cammand through web interface adds temporary license for WIFI/MSO/AWG, while entering the same code through scope menu makes it permanent. FW 6.1.37R9, Uboot 8.3 [attachimg=1]
-
Hey All,
I have come here to admit defeat and see if I can not track down some assistance from the smart folks on this board.
Issue : No matter what I seem to do, I can not get the WIFI, AWG, or MSO to activate past a 30 time trial. I have successfully patched the unit with the 200M feature and it reflects as a 1204x-e.
Things I have tried : Various combinations of firmware and OS. Unit shipped with OS 8.1 SW 6.1.37R9. I have downgraded firmware to match posts reporting success. I have upgraded fully.
Python scripts dating back to 2018, including as far as I can tell, the most recent back on page 14 of this thread. Based on the hash in the script, the most recent one is consistent in what it generates.
Confirmed hardware version matches people reporting success 01-05.
Results : Putting these codes into the unit itself results in a "The data is invalid!" message.
#script variables
import hashlib
SCOPEID = '01141c241626a85c'
SN = 'SDSMMFCQ5R8700'
Model = 'SDS1000X-E'
#script output
25M IWIDZ6GXVK3MYJFK
40M 99NX42P4GCQ4YF32
50M Q3BPN363MU2JG9QI
60M JQNMJ96HM8ZC5YH5
70M 3VS3G9BMCKNJHCPM
100M VJNP8AZHDMMZR97K
150M HIPTYP7IKMFP5ADC
200M IMMEESH82D3I9QW2
250M QK8BZFI9J83EA9NJ
300M 3NPC3ZVTXGTAQNPY
350M 7Q35FQIQ7RQMZ4BA
500M 622HSNHGSNY6PRN9
750M V29PMVFAPQMIP9SP
1000M PPCQ2CJAPK2JPBXS
MAX 93PTI5NGN9WBWM37
AWG BCFQKNC2EZVWPMSX
WIFI P3GY5V44B4Q5WCDY
MSO DMPNSVIB2ISMFPK8
FLX 3HDPPWZRAN6XQ3GD
CFD SF2327MA832PZV9P
I2S S6MB32MTUQBV6XS3
1553 4NAMVUAMUZGAFM33
FG IPK2N8PUZ26DSUS9
16LA 3QTI3MHH6WZDMTRM
How can I confirm that the hashkey in the script is correct for my unit? Anyone else having issues with hardware purchased in the last month?
I am probably 2-3 hours into messing with what someone else recently proposed took them "12 minutes."
|O |O |O |O |O |O |O |O |O |O |O
-
Sorry on a double post, additional details :
Attached is a jpeg image that includes both a run from the python script as well as a hex dump using one of the origional mem dump methods from earlier in this thread. Scouring the dump file i finally came across 3 16 digit keys which I assume to be the AWG, WIFI, and MSO keys.
The key from the memdump, matches the key from the python utility exactly.
second image is my favorite screen from the unit.
Am I just stupid? I am putting this key in with all caps directly into the unit, tried all lowercase...
:scared: :palm: |O
-
All official license codes we install are in lowercase.
-
Hey, appreciate the response.
I got it, heres what I did.
I removed the 200MHz version and confirmed the Product type now read SDS 1104X-E.
The codes worked immediately in uppercase. I have not seen anywhere else on this site mention of doing the optional codes before the 200MHz upgrade, and most directions actually have it happening first. I do not know why this is the case for me but now its documented for the next guy, if you are really stuck, pull the 200MHz and try the optionals first.
After all 3 optionals were XX, I reapplied the 200MHz code and everything looks good to go after a restart.
Serious shoutout to a cool forum with a wealth of knowledge.
-
FYI - SDS1104X-E is on sale at Amazon U.S. for $399. (Oct 28, 2022)
-
Ah - do you have a link to the Amazon listing please?
I'm searching through Amazon, and can't seem to find this price.
-
Dang! I could have saved quite a bit. :(
-
Here’s the $399 deal on Amazon. I received mine two days ago, so far I’m liking it, especially at that price :-)
https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_2_sspa?crid=1VAN58N0T8DG4&keywords=siglent+oscilloscope&qid=1667227261&qu=eyJxc2MiOiIzLjQ5IiwicXNhIjoiMi45OSIsInFzcCI6IjIuMzMifQ%3D%3D&sprefix=%2Caps%2C409&sr=8-2-spons&ufe=app_do%3Aamzn1.fos.c3015c4a-46bb-44b9-81a4-dc28e6d374b3&psc=1 (https://www.amazon.com/Siglent-SDS1104X-oscilloscope-channels-standard/dp/B0771N1ZF9/ref=sr_1_2_sspa?crid=1VAN58N0T8DG4&keywords=siglent+oscilloscope&qid=1667227261&qu=eyJxc2MiOiIzLjQ5IiwicXNhIjoiMi45OSIsInFzcCI6IjIuMzMifQ%3D%3D&sprefix=%2Caps%2C409&sr=8-2-spons&ufe=app_do%3Aamzn1.fos.c3015c4a-46bb-44b9-81a4-dc28e6d374b3&psc=1)
-
Dang! I could have saved quite a bit. :(
How long ago did you buy it? Amazon might help you out if it was recent. YMMV
-
2 questions for all of those who have / have hacked this:
1) Some old posts / videos show the -3db drop at around 130 MHz when using original firmware at locked 100MHz bandwidth. Once you unlock it to 200, does it still have the -3db drop there or does it get extended? what is the drop @ 200? I couldn't find a definitive post on a hacked one.
2) The XY mode is important for my usecase, and the early firmware was abysmal at about 2 FPS updates. I've seen a 1202XE take a newer firmware where it looked like it was at about 15-20 FPS now. But I know the 1104XE firmware is a different branch and is updated more frequently. Does the 1104XE with latest firmware have a better speed in XY mode?
Thanks!
-
1) Some old posts / videos show the -3db drop at around 130 MHz when using original firmware at locked 100MHz bandwidth. Once you unlock it to 200, does it still have the -3db drop there or does it get extended? what is the drop @ 200? I couldn't find a definitive post on a hacked one.
There are some posts where the rise time of a fast pulse was used to measure the bandwidth and an an improvement of around 2x was measured. Here's a quote from one:
- https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg3344060/?topicseen#msg3344060 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg3344060/?topicseen#msg3344060)
The rise time measured with my Colby PG1000A pulse generator (250ps rise/fall time) into a 50 Ohm termination decreased from 2.9ns to 1.6ns. Not quite a factor of two, but close.
-
How long ago did you buy it? Amazon might help you out if it was recent. YMMV
Mid-August.
Besides, no price reduction in Canada. We are apparently not nice people and do not deserve it.
-
Thanks for the postings! Worked pretty well for me so far!
Question though- my scope accepted the codes that I entered for other bandwidths, like 300MHZ, then replied to PRBD? appropriately, even afterwards showing the corresponding Siglent model number after a power cycle, e.g. SDS1304X-E is now shown when I go to the SCPI page or from the System Status button on the scope.
Note that this didn't exactly work when I tried 350MHz and above. "Product Type" was blank.
So does this really mean that the scope upgrade can be done to 250MHz and 350MHz levels too?
-
Thanks for the postings! Worked pretty well for me so far!
Question though- my scope accepted the codes that I entered for other bandwidths, like 300MHZ, then replied to PRBD? appropriately, even afterwards showing the corresponding Siglent model number after a power cycle, e.g. SDS1304X-E is now shown when I go to the SCPI page or from the System Status button on the scope.
Note that this didn't exactly work when I tried 350MHz and above. "Product Type" was blank.
So does this really mean that the scope upgrade can be done to 250MHz and 350MHz levels too?
Welcome to the forum.
For 4ch X-E in western markets there are only 2 valid BW configurations, 100 or 200 MHz. Don't use anything else if you want an instrument you can trust.
-
So does this really mean that the scope upgrade can be done to 250MHz and 350MHz levels too?
No. The model names that may appear are dependent on the contents of your sys_cfg.cfg file. Look at the end of the file.
This is its contents:
Reversing 1st part of the file [00000000-00000CF7]...
XORing with 0xFF (incrementing pattern)...
XORing with 0xFF from 0x0000067C until 0x00000CF7
00000000 - Main Checksum: FFFFD3E2 [00000004-00000CF7] CKSM OK
00000008 - Product_Type: SIGLENT
00000028 - CFG Type: SDS1004X-E
0000003C - Manufacturer_Name: SIGLENT
00000047 - CFG Flag_LongMemory: 00
00000048 - Product_ID: 10000
0000004C - Logo Image Size: 00000000 (0 pixels)
00000050 - USB_Prod_ID_PTP: EE39
00000052 - USB_Prod_ID_RAW: EE38
00000054 - USB_Prod_ID_TMC: EE3A
00000056 - USB_Vendor_ID: F4EC
00000058 - Prefix: SDS
0000005C - Logo_Manufacturer: Siglent
0000009C - CFG Flag_pic_machine: 01
0000009D - CFG Flag_sys_machine: 01
0000009E - CFG Flag_____USB_TMC: 01
0000009F - CFG Flag___SCPI/ERES: 01
000000A0 - CFG Fl_invert/neuter: 00
000000A1 - CFG Flag___skew/gate: 00
000000A2 - CFG Flag____vxi/roll: 01
000000A3 - CFG Flag___________A: 00 not_used(?)
000000A4 - CFG Flag___lang_mask: 1800
000000A6 - CFG Flag__lang_total: 11
000000A7 - CFG Flag_mach_series: 00
000000A8 - Machine Name 20 MHz: SDS1024X-E
000000B7 - Machine Name 40 MHz: SDS1044X-E
000000C6 - Machine Name 60 MHz: SDS1064X-E
000000D5 - Machine Name 100 MHz: SDS1104X-E
000000E4 - Machine Name 150 MHz: SDS1154X-E
000000F3 - Machine Name 200 MHz: SDS1204X-E
00000102 - Machine Name 250 MHz: SDS1254X-E
00000111 - Machine Name 300 MHz: SDS1304X-E
00000120 - Machine Name 50 MHz: SDS1054X-E
0000012F - Machine Name 70 MHz: SDS1074X-E
0000013E - CFG Flag___BW_change: 00
0000013F - CFG Flag_hide_set_BW: 01
00000140 - Machine Name 350 MHz:
0000014F - Machine Name 500 MHz:
0000015E - Machine Name 750 MHz:
0000016D - Machine Name1000 MHz:
0000017C - Machine Name2000 MHz:
-
Hello!
I have a Siglent SDS 1202X-C device. In this device, the interface language is only Chinese. In neighboring branches, I learned that it is possible to change the configuration file and unlock the choice of languages. I ask for help, how to reflash it and get the opportunity to change the interface language.
I confess I am a complete amateur in the field of hacking and programming. I would be grateful if you explain how to do everything step by step. How to extract the configuration file, how to make changes to it and how to flash it back. I'm only interested in unlocking the language interface.
Thank you in advance!
-
Thanks to all involved for this topic. Now I have a fully unlocked 1204X-E, with WLAN, AWG and Logicanalyzer - option for only 510€ ;D
It is a pity that the stamp on the front panel does not automatically change to 1204X-E... :-DD :-DD
-
Are the hack instructions on post #1 current and complete, as of today? Or, have the steps also been updated along the way, within the additional 16 pages of discussion? Thank you for this clarification.
-
Are the hack instructions on post #1 current and complete, as of today? Or, have the steps also been updated along the way, within the additional 16 pages of discussion? Thank you for this clarification.
No, the process has changed significantly.
See post #337.
-
Are the hack instructions on post #1 current and complete, as of today? Or, have the steps also been updated along the way, within the additional 16 pages of discussion? Thank you for this clarification.
No, the process has changed significantly.
See post #337.
Thanks!
-
Hello amazing people,
I believe I made a bit of a mistake trying to upgrade my SDS2202X-E to 355Mhz, not realizing that is a actually not needed.
I've used the py. code generator adding in the relevant SCOPEID/SN/Model and then used the 350M to flash it trough LAN MCBD.
Right now seems that the scope is somewhat "bricked" in the sense of everything is laggy, system status cannot be accessed and model number has been removed, but it still measures correctly.
Any idea how to revert back?
Downgrading FW and then upgrading again does not seem to work.
Thank you,
-
Load the 200 MHz license to get back to where you were.
Then load the 300 MHz license....trust me on this......been here done this.
-
Hello.
Did same to 250 MHz. It seems the x50 options stagger the OS somehow. The x00 options seem to work. However, there is an issue. If one unlocks it above 200 MHz , the bandwidth is being reduced. At 250 MHz ( SDS1254X-E) i've found the amplitude to start to fall around 80 MHz, getting halved ( -3dB) at 120 MHz. Only have an SDG2122X, so can't test if the unlocked SDS actually can sample above this frequency. But at in 200 MHz mode (1204X-E) is flat as a table.
Another finding, the lowest limit of the horizontal system goes down to 1 ns only. Usually the 500 MHz scopes have it 500 ps ( at least that's what i saw in datasheets) or so. To be honest, i don't know the details how these digital scopes work, but according to the datasheets, there are models with 4x 250 Ms/s that can do 250 MHz, while the SDS1xxx series does 4x500 Ms/s, so there is room.
My question is, did any of you fine gentlemen experience the same issue ? If so, is there a hardware tweak, maybe some capacitor values to be changed, in the input circuitry to even out the bandwidth while unlocked above 200 MHz ? Or is it stupid to pursue this ?
-
My question is, did any of you fine gentlemen experience the same issue ?
What scope are you talking about? This thread seems to have spread a bit.
The SDS1000X-E series are not capable of going beyond 200MHz. Trying to install a license for 350MHz or 5000MHz is going to produce strange results even if the scope will accept such a license.
If you talking about a SDS2000X-P series I found you have to install the 350MHz license before installing the 500MHz license. Otherwise you will get strange results. It seems one license tweaks different things about the scope than does the other. It should be noted that Siglent sell a 100MHz direct to 350MHz license, but the 500MHz license they sell is only listed as being valid for a 350MHz scope. In other words, they do not sell a 100MHz to 500MHz or a 200MHz to 500MHz, only a 350MHz to 500MHz.
tautech please correct me if I'm wrong.
-
SDS1104X-E BW options are 100MHz and 200MHz.
All others are not supported!
-
SDS1104X-E BW options are 100MHz and 200MHz.
All others are not supported!
Correct however new member adacsaba read somewhere on the internet a SDS1254X-E model was possible. ::)
Trouble is, who believes anything they read on the internet these days ? :horse:
-
No, i didn't. :) I assumed. Somewhere here on this very forum, there is a post about the model table contained in the firmware of the SDS1xx4X-E series. And it indeed accepts the 250M code. But obviously, doesn't work :)
Please ignore anything i've babbled-bumbled, 200 MHz works indeed. And quite precise. The unlockability gives great value to these devices for the home user, that's for sure. I'm happy with, just like anyone else here :)
PS. Hopefully Mr. Qin does not change his mind :)
-
Are the hack instructions on post #1 current and complete, as of today? Or, have the steps also been updated along the way, within the additional 16 pages of discussion? Thank you for this clarification.
No, the process has changed significantly.
See post #337.
Post #1 updated... :)
-
What exactly are you unlocking by doing this? All features of SDS1204X-E?
-
What exactly are you unlocking by doing this? All features of SDS1204X-E?
Yes.
-
What exactly are you unlocking by doing this? All features of SDS1204X-E?
Yes.
And I'm guessing you can't do the same thing with X-U version?
-
I don't believe so. I don't think the X-U has any options at all.
-
What exactly are you unlocking by doing this? All features of SDS1204X-E?
Yes.
And I'm guessing you can't do the same thing with X-U version?
Bill is 100% correct.
No options to liberate and BW upgrade would break Nyquist bad. SDS1104X-U is only a 100 MHz DSO. If you must have 200 MHz get the even cheaper SDS1202X-E.
-
Hi, it work great, thanks !
I used SCPI to pass on 200MHz. For options it doesn't worked (while web UI told success), so i entered it manually.
And after unlocking all i restarted the scope & updated the firmware.
It's an awesome scope ❤️
-
Hi, it work great, thanks !
I used SCPI to pass on 200MHz. For options it doesn't worked (while web UI told success), so i entered it manually.
And after unlocking all i restarted the scope & updated the firmware.
It's an awesome scope ❤️
Congrats.
When using the webserver SCPI command page to add options, the command syntax need be perfect.
Certainly it will report command sent successfully however unless the syntax is perfect it will not be accepted by the scope.
Enjoy.
-
I don't get this hype regarding bandwidth hacking on sds1104x-e. At the end this is 1GSPS scope. Signals looks good up to 50Mhz and above that it's a bit of a stretch of the imagination. At 100Mhz there is only 10 points to reconstruct the signal (square wave looks like sine). At 200Mhz they are 5..
To not be completely off-topic - The changes between OS V2 and OS V3 is a one simple number (1 byte). In the /etc/version file there is "rootfs_version=" with value 3 for OS v2 and value 4 for OS v3.
So anyone can change their OS to v3 without OS flashing.
-
At 100Mhz there is only 10 points to reconstruct the signal (square wave looks like sine).
That's got nothing to do with the lack of points.
A 100MHz "square wave" is made of a 100MHz sine wave + a 300MHz sine wave + a 500Mhz sine wave + ... etc.
Your oscilloscope can't see the 300Mhz wave or any of the other higher frequencies, all you can see is the 100MHz sine wave.
-
You only need 4 points to reproduce a perfect square wave. The reason it's looking like a sine wave is due to bandwidth limitation. It's basically working like a low pass filter. If you improve the BW to 200MHz, you can see better square waves. Rise time improves to better than 1.8ns from 3.5ns.
-
You only need 4 points to reproduce a perfect square wave.
With graph paper, sure, but not with sin(x)/x signal reconstruction. For anything resembling a square wave you need to see at least the first two harmonics so you need more than 12 sample points per wave.
(5 x 2.5 = 12.5)
-
I was just pointing out the theoretical requirement.
Anyhow. Below, the green trace is a (not terribly good) 100MHz square wave on a 600MHz scope and the same square wave in purple on an SDS1104X-E improved to 200MHz. You can still very much see it's a (not terribly good) square wave. On a 100MHz version it would not look nearly as square if at all..
-
What's this AC triggering BS Bill ? :-//
-
What's this AC triggering BS Bill ? :-//
It was set up for something else. I just quickly plugged the oscillator in and changed the time base. That's what I saw, so didn't do any more. Lazy.. :-//
-
Sometimes it's just easier to hit Default ......or if you have it set up a User Default. ;)
-
You can still very much see it's a (not terribly good) square wave.
It's exactly what I would expect to see - a sine wave plus an attenuated sine wave at 3x the frequency.
But in this case it has nothing to do with not having enough samples. It's lack of bandwidth in the in the front end - they're not letting the 300MHz/500Mhz/700Mhz components of the "square wave" through.
On a 100MHz version it would not look nearly as square if at all..
On a 100MHz device the sine wave at 300Mhz wave will be more attenuated so it will closer to a pure sine wave.
-
That's got nothing to do with the lack of points.
A 100MHz "square wave" is made of a 100MHz sine wave + a 300MHz sine wave + a 500Mhz sine wave + ... etc.
Your oscilloscope can't see the 300Mhz wave or any of the other higher frequencies, all you can see is the 100MHz sine wave.
It's a good day for me to learn something new. Thanks.
So in the end the hack will only increase BW of forntend? Although I couldn't find anything from the pictures of frontend (HW 05) that might limit the BW.
-
So in the end the hack will only increase BW of forntend? Although I couldn't find anything from the pictures of frontend (HW 05) that might limit the BW.
It's a feature of the modern Variable Gain Amplifiers (VGA) used in the front end. Basically they have not only programable gain, but programable bandwidth too.
-
According to the pictures of SDS1104X-E, the AD8370 is used in HW 05. This VGA has no BW limiting capability (or I'm missing that feature in the datasheet).
-
But in this case it has nothing to do with not having enough samples. It's lack of bandwidth in the in the front end - they're not letting the 300MHz/500Mhz/700Mhz components of the "square wave" through.
That's what I was trying to point out too, but I thought I'd do it with pictures.
The bottom line is there is definite benefit to the higher BW, even if the sample rate is not increased as well.
-
According to the pictures of SDS1104X-E, the AD8370 is used in HW 05. This VGA has no BW limiting capability (or I'm missing that feature in the datasheet).
That's a pretty fast amplifier, but you're right, it does not have that function.
I honestly don't know where they are doing it. It may even be a digital filter. These scopes also have a 20MHz BW limit. It may be done the same way as that.
All that said, the BW increase to 200MHz is real.
-
my own take on it is that the only difference between 100MHz and 200MHz versions is that the 100MHz version has artificial software filtering to give the appearance of limited front-end bandwidth. the end result is that the 200MHz version acts more 'naturally' (like a CRO would) as input frequency increases, whereas the 100MHz version behaves in what feels like a disconcertingly 'odd' way.
bear in mind that i mostly look at digital signals, and ones at rates that are nowhere close to the 100MHz area. however, there are sharp edges. with my scope (SDS1104X-E) unlocked be to the 200MHz version the sorts of things i see on screen are significantly closer to what i expect. as a result, my opinion is that while i understand Siglent's motivation to create a product differentiation, the the software filtering used to create the 100MHz version does a disservice to the 100MHz product.
cheers,
rob :-)
-
So in the end the hack will only increase BW of forntend?
Yes.
-
The bottom line is there is definite benefit to the higher BW, even if the sample rate is not increased as well.
Yes... until you start to turn on more channels and the sample rate halves. When that happens you'll be letting through more frequencies than can alias.
-
So in the end the hack will only increase BW of forntend?
Yes.
No. so it seems we may disagree :-DD
to get this straight:
1. my understanding is that the 100MHz version of the SDS1104X-E uses software filtering to give the appearance of limited front-end bandwidth. electrically the 100MHz and 200MHz versions of the scope have identical electrical signal paths, the filter is all done via a (digital) software algorithm in either the processor or FPGA.
2. your understanding is that the 100MHz version of the SDS1104X-E has the real bandwidth of the front-end limited via something like an electronic switch that turns on an actual physical filtering component in the front-end circuit path. hence the signal presented to the ADCs have followed through a (subtly) different electrical path.
do we have evidence to support theory 2. over theory 1.?
cheers,
rob :-)
-
do we have evidence to support theory 2. over theory 1.?
I dunno about Siglents but that's how some Rigols do it - they switch in extra capacitors on the front end to reduce the bandwidth.
-
So in the end the hack will only increase BW of forntend?
Yes.
No. so it seems we may disagree :-DD
to get this straight:
1. my understanding is that the 100MHz version of the SDS1104X-E uses software filtering to give the appearance of limited front-end bandwidth. electrically the 100MHz and 200MHz versions of the scope have identical electrical signal paths, the filter is all done via a (digital) software algorithm in either the processor or FPGA.
2. your understanding is that the 100MHz version of the SDS1104X-E has the real bandwidth of the front-end limited via something like an electronic switch that turns on an actual physical filtering component in the front-end circuit path. hence the signal presented to the ADCs have followed through a (subtly) different electrical path.
do we have evidence to support theory 2. over theory 1.?
cheers,
rob :-)
All 1000X-E models are a 200 MHz design SW limited to the various models in this range, in the west we see only 100 and 200 MHz models whereas in the east there is a 70 MHz model too !
Typically the IC that provides the 20 MHz BW filter can also provide the full BW limiter and for all the BW tests I've done on Siglent DSO's 5-20% over rated BW is typical however some models are substantially more, Eg the 500 MHz design 100 MHz SDS2104X Plus has -3dB BW of some 185 MHz and therefore supplied with 200 MHz probes.
Dave Jones has a good look at the VGA (variable gain amp) in a SDS114X-E in this vid from a few years back:
https://www.eevblog.com/2019/07/10/eevblog-1228-do-digital-scopes-have-real-verniers/ (https://www.eevblog.com/2019/07/10/eevblog-1228-do-digital-scopes-have-real-verniers/)
-
I only do analog audio and I was wondering whether there's any benefit in unlocking this o'scope. I'm talking about the 200MHz unlock. I don't care about the other unlocking options.
According to fungus, it might be even better to keep the scope at 100MHz due to aliasing (?). Unless I totally misinterpreting his post.
-
Hi, it work great, thanks !
I used SCPI to pass on 200MHz. For options it doesn't worked (while web UI told success), so i entered it manually.
And after unlocking all i restarted the scope & updated the firmware.
It's an awesome scope ❤️
Congrats.
When using the webserver SCPI command page to add options, the command syntax need be perfect.
Certainly it will report command sent successfully however unless the syntax is perfect it will not be accepted by the scope.
Enjoy.
Thanks i really do! Just wait from dealer new probe (cause one have internal contact issues), they will put it into generator box.
-
I don't get this hype regarding bandwidth hacking on sds1104x-e. At the end this is 1GSPS scope. Signals looks good up to 50Mhz and above that it's a bit of a stretch of the imagination. At 100Mhz there is only 10 points to reconstruct the signal (square wave looks like sine). At 200Mhz they are 5..
To not be completely off-topic - The changes between OS V2 and OS V3 is a one simple number (1 byte). In the /etc/version file there is "rootfs_version=" with value 3 for OS v2 and value 4 for OS v3.
So anyone can change their OS to v3 without OS flashing.
Hi. I personally think that every job must be paid. Also i think that people need to respect the rules & obligations.
For me i got not a "wow i see 200MHz waves", but the perfect (i hope so) display all signals upto 100MHz i paid for. The features: i don't plan to use MSO nor WIFI nor the siglent's AWG.
I wanna buy better probes, yes (while existing are perfect for me cause it's mostly for audio freqs).
So with the hack i did Siglent company lost nothing, but got a good client. I got correct measures upto 100MHz (even bit more).
The AWG i paid is 16bit rigol DG811 (which will be hacked for max sampling).
I follow Dave's idea that beginners don't need overkills.
If after some time i see that i need "better" AWG or another features, i will buy another AWG w/ features i need or an another scope/other stuff.
-
According to fungus, it might be even better to keep the scope at 100MHz due to aliasing (?).
Yes, but only when you turn on more than two channels. :)
(and not just according to me, it's the math...)
-
According to fungus, it might be even better to keep the scope at 100MHz due to aliasing (?).
Yes, but only when you turn on more than two channels. :)
(and not just according to me, it's the math...)
Most of the times I use all 4 channels. So in this case you reckon I'll be better off by leaving the scope alone (i.e. 100MHz) ?
-
Most of the times I use all 4 channels. So in this case you reckon I'll be better off by leaving the scope alone (i.e. 100MHz) ?
Not just 'reckon', I can prove it, mathematically. :)
-
Not just 'reckon', I can prove it, mathematically. :)
I'd like to see that.
So, you are trying to tell us that, if I'm measuring, say a complex set of 4 signals, the scope will perform better if limited to 100MHz rather than 200MHz when measuring the same set of signals??
-
So, you are trying to tell us that, if I'm measuring, say a complex set of 4 signals, the scope will perform better if limited to 100MHz rather than 200MHz when measuring the same set of signals??
At audio frequencies you won't see any difference.
With high frequency, real-world signals? Less aliasing.
-
So, you are trying to tell us that, if I'm measuring, say a complex set of 4 signals, the scope will perform better if limited to 100MHz rather than 200MHz when measuring the same set of signals??
At audio frequencies you won't see any difference.
With high frequency, real-world signals? Less aliasing.
given what you say is so, would the same rule not hold for the higher range Siglent scopes, for example the SDS2000X PLUS range that has FOUR model options of 100MHz, 200MHz, 350MHz and 500MHz?
you seems to be saying that for anyone who is interested in signal frequencies around the 100MHz area, compared to the base 100MHz SDS2104X+ model, the 200MHz variant will perform worse, the 350MHz variant will perform even worse, and the 500MHz variant will... well perhaps be most abysmal of all.
AND, if this is so, then why would Siglent not install a switch on their scopes, allowing the user to select a bandwidth limit appropriate to what they are measuring: the SDS2504X PLUS would have a 4 position selector for 100, 200, 350 and 500MHz limiting. or is this some sort of a marketing ploy, so that the poor user in a professional lab needs to own FOUR SDS2000X+ scopes, one for each bandwidth option.
cheers,
rob :-)
cheers,
rob :-)
-
So, you are trying to tell us that, if I'm measuring, say a complex set of 4 signals, the scope will perform better if limited to 100MHz rather than 200MHz when measuring the same set of signals??
At audio frequencies you won't see any difference.
With high frequency, real-world signals? Less aliasing.
given what you say is so, would the same rule not hold for the higher range Siglent scopes, for example the SDS2000X PLUS range that has FOUR model options of 100MHz, 200MHz, 350MHz and 500MHz?
you seems to be saying that for anyone who is interested in signal frequencies around the 100MHz area, compared to the base 100MHz SDS2104X+ model, the 200MHz variant will perform worse, the 350MHz variant will perform even worse, and the 500MHz variant will... well perhaps be most abysmal of all.
AND, if this is so, then why would Siglent not install a switch on their scopes, allowing the user to select a bandwidth limit appropriate to what they are measuring: the SDS2504X PLUS would have a 4 position selector for 100, 200, 350 and 500MHz limiting. or is this some sort of a marketing ploy, so that the poor user in a professional lab needs to own FOUR SDS2000X+ scopes, one for each bandwidth option.
cheers,
rob :-)
SDS2504X Plus already does that. Siglent engineers aren't mugs and know sampling rates need be kept at levels where the risk of aliasing is much reduced.
Only 2 channels are supported at 500 MHz (much neared 600 !) and only by having one on each ADC and when a 2nd on either ADC is activated BW is automatically reduced to 350 MHz and indicated such with all the channel tabs changing from Full to a 350 MHz BW limit.
-
So, you are trying to tell us that, if I'm measuring, say a complex set of 4 signals, the scope will perform better if limited to 100MHz rather than 200MHz when measuring the same set of signals??
At audio frequencies you won't see any difference.
With high frequency, real-world signals? Less aliasing.
given what you say is so, would the same rule not hold for the higher range Siglent scopes, for example the SDS2000X PLUS range that has FOUR model options of 100MHz, 200MHz, 350MHz and 500MHz?
you seems to be saying that for anyone who is interested in signal frequencies around the 100MHz area, compared to the base 100MHz SDS2104X+ model, the 200MHz variant will perform worse, the 350MHz variant will perform even worse, and the 500MHz variant will... well perhaps be most abysmal of all.
AND, if this is so, then why would Siglent not install a switch on their scopes, allowing the user to select a bandwidth limit appropriate to what they are measuring: the SDS2504X PLUS would have a 4 position selector for 100, 200, 350 and 500MHz limiting. or is this some sort of a marketing ploy, so that the poor user in a professional lab needs to own FOUR SDS2000X+ scopes, one for each bandwidth option.
cheers,
rob :-)
No it doesn't mean that. Fungus just wrote something and didn't explain it and you interpolated something completely wrong.
And on my 2 Siglent scopes (one 500 MHz and other 1GHz) you have 20MHz, 200MHz and Full BW as options... But not because of reason you mentioned but because operator sometimes wants BW limited measurements on purpose..
-
given what you say is so, would the same rule not hold for the higher range Siglent scopes
Of course.
for example the SDS2000X PLUS range that has FOUR model options of 100MHz, 200MHz, 350MHz and 500MHz?
you seems to be saying that for anyone who is interested in signal frequencies around the 100MHz area, compared to the base 100MHz SDS2104X+ model, the 200MHz variant will perform worse, the 350MHz variant will perform even worse, and the 500MHz variant will... well perhaps be most abysmal of all.
It's not quite that simple...
a) I believe those 'scopes have two ADCs so they don't drop down to 1/4 the sampling rate, only half.
That means you could end up sampling a 500MHz sine wave at 1GS/sec. on the top end model. I don't see how that can end well, maybe somebody could try it and post a screenshot of the result.
b) If I feed in a 300MHz square wave to that model I'll have a sine wave at 300MHz, a sine wave at 900MHz, etc. This graphic from the Siglent web site shows the bandwidth rolloff of the front end.
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1757123;image)
As you can see: The 900MHz wave is attenuated by about -12dB. It will alias as a 100Mhz signal but it will be small. You'll have to look hard to see it (an FFT should show it best...)
So... the aliasing you see on screen depends a lot on the characteristics of the analog front end.
(cue tautech telling us that Siglent front ends are the absolute best at this)
c) Another thing to remember is that all these 'scopes change their sample rate as you adjust the horizontal time base. This can introduce aliasing too, although we don't normally notice because as humans we tend to adjust the horizontal scale so we can see the waveform with our eyes.
If you set it out of whack you'll get aliasing. eg. I just set my Micsig to 40kHz sample rate and fed it a 25kHz sine wave. This was what I saw on screen.
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1757174;image)
If I zoom in I can see the 25kHz signal has aliased around the 20kHz Nyquist point and become a 15kHz signal.
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1757180;image)
Aliasing at 25 kiloHz on a 100MHz 'scope? It happens!
Do I blame the Micsig? No, it's just the way the math works.
Bottom line ... it's complicated.
Maybe instead of fixing the bandwidth to 100Mhz you could get into the habit of turning channels on and off to get maximum sample rate on the channel of most interest. If you see the signal change when you flip between low/high sample rate? That's aliasing.
-
You still get the benefit of the higher BW with only one channel, and with certain well behaved signals, with two enabled. Of course, as you increase the number of active channels the risk of aliasing increases but that does not mean it's not worth the 5 minutes it takes to enable it.
If you run into aliasing a lot you will be at frequencies that you probably need a bigger badder scope for anyway and would suffer from BW limitations at 100MHz. I guess it's like with anything else, you have to give and take. Or if you prefer, you can't have your cake and eat it too.
-
b) If I feed in a 300MHz square wave to that model I'll have a sine wave at 300MHz, a sine wave at 900MHz, etc. This graphic from the Siglent web site shows the bandwidth rolloff of the front end.
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1757123;image)
As you can see: The 900MHz wave is attenuated by about -12dB. It will alias as a 100Mhz signal but it will be small. You'll have to look hard to see it (an FFT should show it best...)
So... the aliasing you see on screen depends a lot on the characteristics of the analog front end.
(cue tautech telling us that Siglent front ends are the absolute best at this)
That's actually a pretty decent response curve for the front end of a 100MHz or even 200MHz scope. It's not just a simple Gaussian roll-off and it looks like Siglent actually took some time an care to maximize the BW of it. It looks to be -3dB down at ~550MHz. Would you not say that's pretty good?
-
Hi, it work great, thanks !
I used SCPI to pass on 200MHz. For options it doesn't worked (while web UI told success), so i entered it manually.
And after unlocking all i restarted the scope & updated the firmware.
It's an awesome scope ❤️
Same here. Over the web I only got TEMPORARY licence. Had to type it into the machine itself to get PERMANENT.
-
Hi, it work great, thanks !
I used SCPI to pass on 200MHz. For options it doesn't worked (while web UI told success), so i entered it manually.
And after unlocking all i restarted the scope & updated the firmware.
It's an awesome scope ❤️
Same here. Over the web I only got TEMPORARY licence. Had to type it into the machine itself to get PERMANENT.
As mentioned the SCPI command syntax needs be perfect like this:
LCISL (lic type),(lic code) < remove brackets
-
It looks to be -3dB down at ~550MHz. Would you not say that's pretty good?
Oscilloscopes are supposed to be -3dB at the bandwidth printed on the front, so... they overshot by 50MHz. :)
I'm more bothered by the 'step' at 200MHz.
Are you talking about the SDS1104X-E or the SDS2504X-P?
-
That's actually a pretty decent response curve for the front end of a 100MHz or even 200MHz scope. It's not just a simple Gaussian roll-off and it looks like Siglent actually took some time an care to maximize the BW of it.
I suspect the log scale helps to make it look pretty.
-
That's actually a pretty decent response curve for the front end of a 100MHz or even 200MHz scope. It's not just a simple Gaussian roll-off and it looks like Siglent actually took some time an care to maximize the BW of it.
I suspect the log scale helps to make it look pretty.
They are usually done on log scales. Look up a Gaussian roll-off. You will se the difference. BTW, where on Siglent's site did you find that graph?
-
You still get the benefit of the higher BW with only one channel, and with certain well behaved signals, with two enabled.
Actually, I need to correct myself here. The SDS1004X-E scopes have two ADCs so you can full 1GHz sampling with 2 channels active.
-
Look up a Gaussian roll-off. You will se the difference.
Siglent chopped off the tail end of that graph so it's hard to say exactly where it goes next.
But yeah, non-gaussian rolloffs are common, eg.: https://edadocs.software.keysight.com/kkbopen/how-does-non-gaussian-bandwidth-roll-off-factor-into-oscilloscope-bandwidth-selection-criteria-part-2-614517537.html
BTW, where on Siglent's site did you find that graph?
On the front page: https://siglentna.com/digital-oscilloscopes/sds2000xp/
-
That's actually a pretty decent response curve for the front end of a 100MHz or even 200MHz scope. It's not just a simple Gaussian roll-off and it looks like Siglent actually took some time an care to maximize the BW of it.
I suspect the log scale helps to make it look pretty.
Log scale is what is used to show BW.... Hence specification in dB.. That is industry standard..
-
Just want to say 'Thank you' for this synopsis and the pointers. I followed the synopsis here (Reply #332) and the instructions at https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/ (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/) and used the web based python interpreter and the upgrade to 200MHz worked perfectly!
Using the online interpreter made things very easy. I initially went the route of installing python 3 on my Win10 machine but when I ran the script I got an error.
Traceback (most recent call last):
File "my_keygen.py", line 45, in <module>
print('{:5} {}'.format(opt, gen(SCOPEID)))
File "my_keygen.py", line 31, in gen
m = b % 0x24
TypeError: not all arguments converted during string formatting
Using the online interpreter to work around the error worked fine.
Some of my product details: Purchased my scope in Nov 2022:
Software version: 6.1.37R8
Uboot os: 8.3
FPGA version 2021-11-08
Original Product type: SDS 1104X-E......
Upgraded April 2023, New Product Type: SDS1204X-E.....(very cool!)
Much thanks!
-
After enabling the 200 MHz BW of the scope, I realized that the probes are 100 MHz (PP510). Siglent has a 200 MHz probe (PP215).
The specs on the PP215 state: Bandwidth: 6 MHz (X1) / 200 MHz (X10) and for the PP510: Bandwidth: 6 MHz (X1) / 100 MHz (X10).
Capacitance is essentially the same for both probes at 1x and 10x.
It seems there is no need/advantage to get the 200 MHz probe....Thoughts?
TY
J
-
After enabling the 200 MHz BW of the scope, I realized that the probes are 100 MHz (PP510). Siglent has a 200 MHz probe (PP215).
The specs on the PP215 state: Bandwidth: 6 MHz (X1) / 200 MHz (X10) and for the PP510: Bandwidth: 6 MHz (X1) / 100 MHz (X10).
Capacitance is essentially the same for both probes at 1x and 10x.
It seems there is no need/advantage to get the 200 MHz probe....Thoughts?
This and related topics have been discussed before in the corresponding thread.
For example here (reply #56):
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665 (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665)
or here (reply #191):
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg3290546/#msg3290546 (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg3290546/#msg3290546)
-
I haven't followed the topic of unlocking Siglent for a long time, just discovered that there is a keygen for SDS1000X-E model. But I have old SDS1102X model, can someone help if there is keygen for old SDS1000X model?
I know that bandwidth unlock for SDS1000X requires hw mod, but there are also other features which can be unlocked with key, such as serial decoders and harmonic analyzer. So, it will be interested to unlock it.
-
I haven't followed the topic of unlocking Siglent for a long time, just discovered that there is a keygen for SDS1000X-E model. But I have old SDS1102X model, can someone help if there is keygen for old SDS1000X model?
I know that bandwidth unlock for SDS1000X requires hw mod, but there are also other features which can be unlocked with key, such as serial decoders and harmonic analyzer. So, it will be interested to unlock it.
Nothing available to the public unfortunately but tv84 might help you is you ask him nicely.
-
.. tv84 might help you ..
How does tv84 do this? :-// Especially since he has rarely seen any of these instruments.
-
A Python problem?
I am trying to unlock my 1104X-E using this method:
https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/ (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/)
Here's my note to the author about the problem I have encountered:
Thank you so much for sharing this! I have a 1104X-E and I have made good progress with your instructions -- to a point. I have not been able to run the Python code successfully.
I downloaded Python v3.11, from the Microsoft App Store. I copied/pasted your code to NotePad. I adjusted the Scope ID and Serial number to my numbers (the last five changed to "#####," for personal security.) See RAW Paste Data ( I hope this is where I am supposed to put my code.) I copied the adjusted code to the Clipboard.
I opened Python and right clicked to paste the updated code. Windows gives me a warning and I accept. Python opens and automatically pastes my code on the page.
I know little of coding and nothing of Python, but it appears that the script runs automatically and fails =
SyntaxError: invalid syntax
>>> print('{:5} {}'.format(opt, gen(SN)))
I rather think that this is not related to the scope ID and serial numbers that I adjusted. However, please confirm the syntaxes are correct for both. Please also confirm that the code runs automatically and that I do not need to clean/compile/run it, in some manner. Of course, I need to know what to do to get things to work correctly, as well. Please be very specific with your instructions, step by step.
Not knowing when the author might check for comments, I thought that I would ask here, as well. Please and thank you, for your help.
t1d
HP All-in-One
Windows 11 - Current version
Full code:
Python 3.11.3 (tags/v3.11.3:f3909b8, Apr 4 2023, 23:49:59) [MSC v.1934 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> # Keygen program for Siglent oscilloscopes
>>>
>>> import hashlib
>>>
>>> # You get this by running "SCOPEID?" at the SCIP prompt and removing the dashes
>>> SCOPEID = '000225480f4#####'
>>> # Replace this with your SN
>>> SN = 'SDSMMEBQ3#####'
>>> # This is one of the four options below
>>> Model = 'SDS1000X-E'
>>> # 'SDS1000X-E', 'SDS2000X-E', 'SDS2000X+', 'SDS5000X', 'ZODIAC-'
>>>
>>> bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M',
... '250M', '300M', '350M', '500M', '750M', '1000M', 'MAX')
>>> otheropt = ('AWG', 'WIFI', 'MSO', 'FLX',
... 'CFD', 'I2S', '1553', 'FG', '16LA')
>>>
>>> hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'
>>>
>>> def gen(x):
... h = hashlib.md5((
... hashkey +
... (Model+'\n').ljust(32, '\x00') +
... opt.ljust(5, '\x00') +
... 2*(((SCOPEID if opt in bwopt else SN) + '\n').ljust(32, '\x00')) +
... '\x00'*16).encode('ascii')
... ).digest()
... key = ''
... for b in h:
... if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
... m = b % 0x24
... b = m + (0x57 if m > 9 else 0x30)
... if b == 0x30:
... b = 0x32
... if b == 0x31:
... b = 0x33
... if b == 0x6c:
... b = 0x6d
... if b == 0x6f:
... b = 0x70
... key += chr(b)
... return key.upper()
...
>>> for opt in bwopt:
... print('{:5} {}'.format(opt, gen(SCOPEID)))
... for opt in otheropt:
File "<stdin>", line 3
for opt in otheropt:
^^^
SyntaxError: invalid syntax
>>> print('{:5} {}'.format(opt, gen(SN)))
-
I thought there was some possibility that I had dropped a line of the code, when I originally cut/pasted it. So, I tried it all again. I now think that my original cut/paste was okay, but I get more error codes. See additional code, attached.
...
... for opt in bwopt:
File "<stdin>", line 25
for opt in bwopt:
^^^
SyntaxError: invalid syntax
>>> print('{:5} {}'.format(opt, gen(SCOPEID)))
File "<stdin>", line 1
print('{:5} {}'.format(opt, gen(SCOPEID)))
IndentationError: unexpected indent
>>> for opt in otheropt:
... print('{:5} {}'.format(opt, gen(SN)))
The author published on June 24, 2021. I think the current version of Python, at that time, was v3.9. So, I tried it and still no joy.
Thanks for the help.
Python 3.11.3 (tags/v3.11.3:f3909b8, Apr 4 2023, 23:49:59) [MSC v.1934 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> # Keygen program for Siglent oscilloscopes
>>>
>>> import hashlib
>>>
>>> # You get this by running "SCOPEID?" at the SCIP prompt and removing the dashes
>>> SCOPEID = '000225480f4#####'
>>> # Replace this with your SN
>>> SN = 'SDSMMEBQ3#####'
>>> # This is one of the four options below
>>> Model = 'SDS1000X-E'
>>> # 'SDS1000X-E', 'SDS2000X-E', 'SDS2000X+', 'SDS5000X', 'ZODIAC-'
>>>
>>> bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M',
... '250M', '300M', '350M', '500M', '750M', '1000M', 'MAX')
>>> otheropt = ('AWG', 'WIFI', 'MSO', 'FLX',
... 'CFD', 'I2S', '1553', 'FG', '16LA')
>>>
>>> hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'
>>>
>>> def gen(x):
... h = hashlib.md5((
... hashkey +
... (Model+'\n').ljust(32, '\x00') +
... opt.ljust(5, '\x00') +
... 2*(((SCOPEID if opt in bwopt else SN) + '\n').ljust(32, '\x00')) +
... '\x00'*16).encode('ascii')
... ).digest()
... key = ''
... for b in h:
... if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
... m = b % 0x24
... b = m + (0x57 if m > 9 else 0x30)
... if b == 0x30:
... b = 0x32
... if b == 0x31:
... b = 0x33
... if b == 0x6c:
... b = 0x6d
... if b == 0x6f:
... b = 0x70
... key += chr(b)
... return key.upper()
...
... for opt in bwopt:
File "<stdin>", line 25
for opt in bwopt:
^^^
SyntaxError: invalid syntax
>>> print('{:5} {}'.format(opt, gen(SCOPEID)))
File "<stdin>", line 1
print('{:5} {}'.format(opt, gen(SCOPEID)))
IndentationError: unexpected indent
>>> for opt in otheropt:
... print('{:5} {}'.format(opt, gen(SN)))
-
Forgot to say my scope software version = 6.1.35R2. Sorry for that...
-
Why not use this code https://replit.com/@wgoeo/siglent-keygen#main.py (https://replit.com/@wgoeo/siglent-keygen#main.py) as per https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828)
-
Why not use this code https://replit.com/@wgoeo/siglent-keygen#main.py (https://replit.com/@wgoeo/siglent-keygen#main.py) as per https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828)
Thanks, RC, for you reply.
Why not use wgoeo's code and the forum post's instructions? Because the link I provided has step by step instructions with pictures to guide you. As I mentioned, I am not much of a coder and I know nothing of Python. I did not compare the two sets of code line by line, but they look to be the same. That makes me wonder if I might not be using Python correctly.
-
Using wgoeo's Python Script, I still get the same errors with both v3.9 and v3.11. My Python scripts were downloaded from the Microsoft App Store.
After return key.upper()
Errors For Python v3.9 =
... return key.upper()
...
... for opt in bwopt:
File "<stdin>", line 21
for opt in bwopt:
^
SyntaxError: invalid syntax
>>> print('{:5} {}'.format(opt, gen(SCOPEID)))
File "<stdin>", line 1
print('{:5} {}'.format(opt, gen(SCOPEID)))
IndentationError: unexpected indent
>>> for opt in otheropt:
... print('{:5} {}'.format(opt, gen(SN)))
...
Errors For Python v3.11 =
... return key.upper()
...
... for opt in bwopt:
File "<stdin>", line 21
for opt in bwopt:
^^^
SyntaxError: invalid syntax
>>> print('{:5} {}'.format(opt, gen(SCOPEID)))
File "<stdin>", line 1
print('{:5} {}'.format(opt, gen(SCOPEID)))
IndentationError: unexpected indent
>>> for opt in otheropt:
... print('{:5} {}'.format(opt, gen(SN)))
...
As the errors seem to have to do with the Scope ID and the SN, I copied/pasted those numbers directly from Siglent interface, removed the dashes in Notepad and reran the code. It came back with the same error results.
I am running an older version of the scope firmware, but I can't imagine that I would get more access to make these changes with a more recent firmware. It is more likely that any newer firmware would close any open doors.
Thoughts? Suggestions? Thanks.
-
At times when I have checked official licences this the script I use:
import hashlib
SCOPEID = '0000000000000000'
Model = ‘xxxxxxxxx'
bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M', '250M',
'300M', '350M', '500M', '750M', '1000M', 'MAX', 'AWG', 'WIFI', 'MSO',
'FLX', 'CFD', 'I2S', '1553', 'PWA', 'MANC', 'SENT')
hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'
def gen(x):
h = hashlib.md5((hashkey + (Model + '\n').ljust(32, '\x00') + opt.ljust(
5, '\x00') + 2 * ((SCOPEID + '\n').ljust(32, '\x00')) +
'\x00' * 16).encode('ascii')).digest()
key = ''
for b in h:
if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
m = b % 0x24
b = m + (0x57 if m > 9 else 0x30)
if b == 0x30: b = 0x32
if b == 0x31: b = 0x33
if b == 0x6c: b = 0x6d
if b == 0x6f: b = 0x70
key += chr(b)
return key.upper()
for opt in bwopt:
print('{:5} {}'.format(opt, gen(SCOPEID)))
Sometimes SCOPEID is used, sometimes the SN#.
Pay attention to spaces, hyphens, commas and even test color in Python as they are clues to your code mistakes.
-
At times when I have checked official licences this the script I use:
import hashlib
SCOPEID = '0000000000000000'
Model = ‘xxxxxxxxx'
bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M', '250M',
'300M', '350M', '500M', '750M', '1000M', 'MAX', 'AWG', 'WIFI', 'MSO',
'FLX', 'CFD', 'I2S', '1553', 'PWA', 'MANC', 'SENT')
hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'
def gen(x):
h = hashlib.md5((hashkey + (Model + '\n').ljust(32, '\x00') + opt.ljust(
5, '\x00') + 2 * ((SCOPEID + '\n').ljust(32, '\x00')) +
'\x00' * 16).encode('ascii')).digest()
key = ''
for b in h:
if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
m = b % 0x24
b = m + (0x57 if m > 9 else 0x30)
if b == 0x30: b = 0x32
if b == 0x31: b = 0x33
if b == 0x6c: b = 0x6d
if b == 0x6f: b = 0x70
key += chr(b)
return key.upper()
for opt in bwopt:
print('{:5} {}'.format(opt, gen(SCOPEID)))
Sometimes SCOPEID is used, sometimes the SN#.
Pay attention to spaces, hyphens, commas and even test color in Python as they are clues to your code mistakes.
Hi, tautech. A h-u-g-e thank you for helping me and another huge thank you for all you do for our EE Community! As said, I am not much of a coder and I know nothing of Python, so I am not able to dig out the error, myself. I could, probably, apply various corrections, if I had step by step instructions.
My Python only looks like what I would describe as a black serial monitor, DOS page, etc. It does not look like a regular programming environment like Visual Studio. Just a black background and white letters.
EDIT: Oh, I get it... official licences... I will try your code. Thank you.
-
Here is tautech's run in v3.11... I ran it as model SDS1104X-E and SDS1000X-E. Then, I corrected the code "'" on the model number and ran it all again. Still no joy, but we will keep at it.
Edit: #### added after running it, of course.
Python 3.11.3 (tags/v3.11.3:f3909b8, Apr 4 2023, 23:49:59) [MSC v.1934 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>>
>>> SCOPEID = '000225480f4#####'
>>> Model = ‘SDS1000X-E'
File "<stdin>", line 1
Model = ‘SDS1000X-E'
^
SyntaxError: invalid character '‘' (U+2018)
>>>
>>> bwopt = ('25M', '40M', '50M', '60M', '70M', '100M', '150M', '200M', '250M',
... '300M', '350M', '500M', '750M', '1000M', 'MAX', 'AWG', 'WIFI', 'MSO',
... 'FLX', 'CFD', 'I2S', '1553', 'PWA', 'MANC', 'SENT')
>>>
>>> hashkey = '5zao9lyua01pp7hjzm3orcq90mds63z6zi5kv7vmv3ih981vlwn06txnjdtas3u2wa8msx61i12ueh14t7kqwsfskg032nhyuy1d9vv2wm925rd18kih9xhkyilobbgy'
>>>
>>>
>>> def gen(x):
... h = hashlib.md5((hashkey + (Model + '\n').ljust(32, '\x00') + opt.ljust(
... 5, '\x00') + 2 * ((SCOPEID + '\n').ljust(32, '\x00')) +
... '\x00' * 16).encode('ascii')).digest()
... key = ''
... for b in h:
... if (b <= 0x2F or b > 0x39) and (b <= 0x60 or b > 0x7A):
... m = b % 0x24
... b = m + (0x57 if m > 9 else 0x30)
... if b == 0x30: b = 0x32
... if b == 0x31: b = 0x33
... if b == 0x6c: b = 0x6d
... if b == 0x6f: b = 0x70
... key += chr(b)
... return key.upper()
...
>>> for opt in bwopt:
... print('{:5} {}'.format(opt, gen(SCOPEID)))
-
RC sent me a private message and suggested that I use this on-line Python compiler.
https://www.programiz.com/python-programming/online-compiler/ (https://www.programiz.com/python-programming/online-compiler/)
I did do that and I now have my needed numbers.
However, I used the on-line compiler out of desperation. I can only wonder what access I have given the dark web and who owns my computer, now. That is not a complaint against RC, but rather a warning to others.
EDIT: I can say that this link had very helpful instructions, with pictures. I really needed the pictures -lol- Super-thanks to that author... You just need a working Python compiler.
https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/ (https://www.makermatrix.com/blog/hacking-the-siglent-1104x-e-oscilloscope/)
Much thanks to everyone. Cheers. t1d
-
i know it's too late now, but when you download python, it includes a program called IDLE.
I also visited the "Hacking The Siglent 1104X-E Oscilloscope" website & downloaded the python script from his link. I right clicked on the file & chose "edit with IDLE 3.11". I left the default scope ID & serial number as it was, just to see if the script executed OK. From the Run PDM I selected "Run Module". It produced the list of codes. So I then entered my own ID & serial number to get the codes for my scope.
-
i know it's too late now, but when you download python, it includes a program called IDLE.
I also visited the "Hacking The Siglent 1104X-E Oscilloscope" website & downloaded the python script from his link. I right clicked on the file & chose "edit with IDLE 3.11". I left the default scope ID & serial number as it was, just to see if the script executed OK. From the Run PDM I selected "Run Module". It produced the list of codes. So I then entered my own ID & serial number to get the codes for my scope.
That's good to know; thank you. What do I need to do to protect myself - yes, it might be too late... Change some particular password? Get a new IP address? I don't know how to get a new address; I would need to have instructions, or a link. Thanks!
-
I would not worry too much. If it was a dodgy site there would be something about it when you use a search engine to search to that websites name. Plus I would not have thought "hackers" would be that interested in people who use Siglent 1104X-E oscilloscopes.
As for changing your IP, just power cycle your internet modem. Unless you have a static IP.
-
This error means you typed incorrect quotes (‘) - all programming languages require you use an editor that won’t mangle the text into something else.
-
This error means you typed incorrect quotes (‘) - all programming languages require you use an editor that won’t mangle the text into something else.
Welcome to the forum.
Yes when I use an online Python site and Copy/Fast the script and edit the (') will sometimes change color to black from green and deleting them and retyping then corrects it.
-
Just upgrade firmware to V6.1.37R10 today, the python script still works :)
-
I've settled more or less on buying SDS1104X-E as my first scope. Couple of questions I have about hacking it.
A. Is hacked SDS1104X-E same as SDS1204X-E? In other words, is there an option for bandwidth upgrading the lower model to the upper model (I looked there is none) or this is a hack option, and the scope won't be efficient at those higher frequencies?
B. Is there a difference in performance of SDS1204X-E vs hacked SDS1104X-E?
C. Can SDS1104X-E be bandwidth upgraded to more than 200 MHz?
-
I've settled more or less on buying SDS1104X-E as my first scope. Couple of questions I have about hacking it.
A. Is hacked SDS1104X-E same as SDS1204X-E? In other words, is there an option for bandwidth upgrading the lower model to the upper model (I looked there is none) or this is a hack option, and the scope won't be efficient at those higher frequencies?
B. Is there a difference in performance of SDS1204X-E vs hacked SDS1104X-E?
C. Can SDS1104X-E be bandwidth upgraded to more than 200 MHz?
A. When you upgrade the license it effectively becomes a 1204X-E even shown in the menus.
B. I don't believe so. Everything I have read is that they both share the same the hardware.
C. 200MHz. is the max but the -3dB point is a bit higher than that when upgraded if I recall.
This is a good post with a lot of information about the features.
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/ (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/)
Some of the newer firmware updates provided some nice QOL stuff.
-
A. Yes.
B. and C. No
-
Recently, you fine folks helped me to successfully upgrade to 1204X-E. I also updated the software to 6.1.37R10, at that time. Tonight, I saw in some other post a recommendation to also update the OS. I am not having success with that process.
Here are my stat, before and after:
Software = 6.1.37R10
UBOOT - OS = 8.3
FPGA = 2021-11-08
Hardware = 01-04
Type = SDS1204X-E
Background: !I am not much of a computer person!
I am using a new-ish PNY 32G thumb drive. Windows 11 said it had a problem, when downloading the new OS zip, but that flag cleared after a few moments, as is typical. Even with the blip, the drive always seems to operate correctly, after the flag clears. My guess is that the drive was removed from the computer, sometime, without ejecting it properly.
I tried various things, but my final (failed) attempt included:
From the Windows 11 thumb drive fault flag, I used its wizard to scan and correct the thumb drive. No errors were found.
Saved the new OS zip to the thumb drive. Extracted it. Moved all contents to the top level of the drive. See pix.
Followed the update instructions, closely.
The thumb drive LED indicator shows that the scope is polling the drive, upon startup. But, the scope never reboots itself and the Status screen never shows the OS as being updated to the new version, as the instruction say it will do. It just opens at the last screen that was being used. Manually restarting the scope does not help.
I tried a different thumb drive of the exact same type. It did not initiate any complaints from Windows 11. However, still no joy.
I would appreciate suggestions and very detailed instructions; please and thank you.
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1805333)
(https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/?action=dlattach;attach=1805327)
-
I also updated the software to 6.1.37R10, at that time. Tonight, I saw in some other post a recommendation to also update the OS. I am not having success with that process.
Here are my stat, before and after:
Software = 6.1.37R10
UBOOT - OS = 8.3
FPGA = 2021-11-08
Hardware = 01-04
Type = SDS1204X-E
Background: !I am not much of a computer person!
I am using a new-ish PNY 32G thumb drive. Windows 11 said it had a problem, when downloading the new OS zip, but that flag cleared after a few moments, as is typical. Even with the blip, the drive always seems to operate correctly, after the flag clears. My guess is that the drive was removed from the computer, sometime, without ejecting it properly.
FWIW I only use 8 GB dives formatted FAT32 with 4k clusters.
As these scopes don't have a RTC any files saved to USB don't have timestamps so Windows in particular believes the drive has a fault which must be repaired. < Ignore it.
The big OS update was for V2 to support these new FW features:
From the release notes of V6.1.37R2
Added data logger featuring Sample and Measurement Logger functions
Added counter function
Added Labels
Added NTP (Network Time Protocol) and Time Zone. Also requires OS update to SDS1xx4X-E_OSV2 which is located on the SIGLENT product webpage. The OS Update Instructions is also included SDS1xx4X-E_OSV2.zip
Modified negative or positive of horizontal delay: Time zero is in trigger. Before trigger, time position is -time (negative delay relative to trigger) and after trigger is +time (positive delay relative to trigger)
Fixed a bug with Bin2CSV for ROLL mode
Rebuilt Bin2CSV to File Converter which can also convert data logger file to CSV.
Fixed a bug: some case there is a blue line on decode bus
Fixed a bug with saving hex MSO CSV file
Fixed a bug: After rebooting , Bode Plot cursor can’t be moved
Fixed a bug: fine adjusting with customer probe
WiFi supported Spaces and Special Characters
V3 OS update OTOH is to support new HW....note the instruction:
If SDS1xx4X-E hardware has version below 09, you don’t need to update SDS1xx4X-E OS.
PDF attached.
If you have NTP working you should be good to go.
Tips for such >
Setup the scope on your LAN and obtain an IP address. The LAN indicator should lose any red X.
With PC Google for your local NTP server and enter its IP into the IP box in the new Time/Date feature and choose Display and Sync.
-
Not sure if I've asked this before, but how do you know which OS is already installed on the scope?
Unlike the firmware/software/ADS versions, I can't see how OS versions 1,2,3 tie up with the info on the System Status page? Even the unzipped files don't give any clues (even the latest v3 OS released on 5th Jan 2023 show file dates of 2019 & 2021).
My Uboot-OS version is 8.3
Hardware version 01-05
Does that mean I still have ver 1 OS?
-
@ Tautech
"FWIW I only use 8 GB dives formatted FAT32 with 4k clusters."
I caught the 8GB/32GB requirement in the instructions. My 32GB was handy, so I grabbed it. I don't know if I have an 8GB; I will have to look. I did not know that the scope is particular about FAT32 and 4k clusters. To be honest, that is a little outside of my knowledge base. I will have to find out what protocols I have.
I have the same questions as 807... I thought Uboot-OS 8.3 was my OS version and that it was so old that it didn't even have the current series numbering. So, where do we find our OS version?
I have not begun working on putting together a network for my lab. So, I don't know about those things and I don't know about NTP. But, should the bottom line to my understanding be this... As my Uboot is 8.3, which is lower than 9, I do not need to update the OS anyway? If not, I will have to keep working at it and I would need your continued support.
I have told you, previously, how much we appreciate all you do for our Community, Tautech. That stands double, for today!
-
Replies here:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg4907900/#msg4907900 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg4907900/#msg4907900)
-
Thanks a lot to everyone who contributed to this thread! I registered pretty much just to thank you all.
I've upgraded mine smoothly thanks to this guide.
Upgrading bandwidth makes a lot of sense on this scope. I've measured different signals before and after upgrade. Because the bandwidth lock is in software, it limits measured frequency to just slightly above 100 MHz, and then there is basically a wall - signal doesn't fade, you just don't see the real frequency anymore. Once unlocked the main limit is hardware, and you can see correct frequencies up to around 400 MHz! The voltage obviously drops after 200 MHz, but the ability to see frequencies way above 200 MHz is very valuable in my opinion.
I've upgraded to the latest firmware, calibrated the scope (as recommended to do after every firmware upgrade) and connected to the home network using a $10 wifi dongle. Works great. Fantastic scope for the money!
-
just got two of these really cheap both brand new in the boxes but they are a bit older looks like they were bought in 2021. both are v3 (cn post pics) dealing with my issues reading from the eye cancer trying to read through is taking me forever. is there a specific starting point where i should start reading?
also zippyshare looks to be no more so i can not download the files from the posts, does anyone have them they can upload somewhere else or do you have a link other then zippyshare?
is there a specific dongle everyone is using and it just works from pref like amazon where i can just order them up?
sorry to ask questions directly like that but its taking me forever to go through the different threads again due to having a hard time reading but i am trying. sadly its gotten worse over the past few months and my vision has become even worse. any help would be fantastic. lastly after the upgrade do i have to re mod them after updating the firmware from their website?
thank you so so so much to anyone who can point me in the right directions in advance i REALLY appreciate it. the deal was to good to pass on i didnt really "need" these but they were well worth what i paid to have them in case i need them.
-
just got two of these really cheap both brand new in the boxes but they are a bit older looks like they were bought in 2021. both are v3 (cn post pics) dealing with my issues reading from the eye cancer trying to read through is taking me forever. is there a specific starting point where i should start reading?
also zippyshare looks to be no more so i can not download the files from the posts, does anyone have them they can upload somewhere else or do you have a link other then zippyshare?
is there a specific dongle everyone is using and it just works from pref like amazon where i can just order them up?
sorry to ask questions directly like that but its taking me forever to go through the different threads again due to having a hard time reading but i am trying. sadly its gotten worse over the past few months and my vision has become even worse. any help would be fantastic. lastly after the upgrade do i have to re mod them after updating the firmware from their website?
thank you so so so much to anyone who can point me in the right directions in advance i REALLY appreciate it. the deal was to good to pass on i didnt really "need" these but they were well worth what i paid to have them in case i need them.
This is the better thread for all things SDS1*04X-E:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/ (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/)
With aged instruments you need install the latest firmware for improvements and update the OS also.
OS updates require the update files to be on the root folder on a USB stick to upgrade invisibly at boot.
Firmware updates OTOH are a single .ADS file that you navigate to from the Utility/Update menu.
Do remember to delete the OS update files from your USB stick otherwise they will autorun at each boot if the USB stick remains in the socket.
2nd and 3rd in this list are what you need install:
https://siglentna.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series (https://siglentna.com/service-and-support/firmware-software/digital-oscilloscopes/#sds1000x-e-series)
Study the PDF install instructions within each download package for further guidance.
This is the best WiFi dongle to get and it can be found cheap almost everywhere:
https://www.tp-link.com/us/home-networking/usb-adapter/tl-wn725n/ (https://www.tp-link.com/us/home-networking/usb-adapter/tl-wn725n/)
-
so those files will update this to add the extra features and make it 200mhz? thats what im looking to do. and if i do the hacks to enable everything and 200 then do the upgrade do i then have to re run the hacks? or will they remain unlocked? this way i know which i should do first.
thank you again for all the help i very much appreciate it.
-
so those files will update this to add the extra features and make it 200mhz?
No, they are firmware updates that fix bugs and/or add new features to the instrument.
BTW, all here prefer you to use unit definitions correctly; 200 MHz not milli something.
thats what im looking to do. and if i do the hacks to enable everything and 200 then do the upgrade do i then have to re run the hacks? or will they remain unlocked? this way i know which i should do first.
Just to make it clear, what are called hacks are not and instead they are unofficially installed official licenses.
Such licenses are never affected by firmware updates.
-
lol sorry i was using speech to text and thats how it typed it out. ill try to be more careful. and ahh okay i see now. so basically these are simply official "upgrades" lol'
i think i got it now. do you have a recc script or will most any of the ones posted here work well?
got it all working easy. i didnt think it would be that easy lol. now will test them out this weekend. but they seem good so far. then i will update them to the newest software and os. i just dont have any 8gb usb drives laying around here they are all 64 or bigger i have to grab one from the office. thank you for your help. next to upgrade the waveform gen lol.
-
I see that there are procedures to revert to the original 100Mhz, and also delete the entitlements (WIFI, etc). How about a complete factory reset, including Startup Times? Is there a way to complete erase all logs, etc.? Essentially bring the scope back to factory virgin configuration.
-
I see that there are procedures to revert to the original 100Mhz, and also delete the entitlements (WIFI, etc). How about a complete factory reset, including Startup Times?
Welcome to the forum.
Not available to the public.
Is there a way to complete erase all logs, etc.? Essentially bring the scope back to factory virgin configuration.
Why, whom are you trying to deceive ? :-//
There is a Secure Erase feature that deletes all user settings, IP, WiFi passwords etc.
-
Not available to the public.
Well. That begs the question .. why?
-
Not available to the public.
Well. That begs the question .. why?
It's just not needed when you have Factory Default and Secure Erase.
All that remains is the preexisting boot count and any options licenses.
-
It's just not needed when you have Factory Default and Secure Erase.
All that remains is the preexisting boot count and any options licenses.
Good enough. :-+
-
It's just not needed when you have Factory Default and Secure Erase.
All that remains is the preexisting boot count and any options licenses.
Good enough. :-+
Nearly.
When we have a new unit that is not up to date with the OS and FW we can easy put a few boots on it before PD checks are finished and it's not a good look when a customer receives one with say 4 boots on it already so then and only then do we return it to zero.
3 units just PD checked didn't require such as they all were right up to date so they go out the door with just a single boot on them. :phew:
-
Nearly.
I meant your reply. I can see why the channel needs this and understand why we don't. :-+
-
Is there a way to complete erase all logs, etc.? Essentially bring the scope back to factory virgin configuration.
Why, whom are you trying to deceive ? :-//
Thanks for the Welcome! Not trying to deceive anyone, but I did buy an Amazon Warehouse deal returned/used SDS1104; came without factory packaging. Looks new, and upon bootup it came up with Startup Times as 1. However some of the sundries did look used. Amazon usually doesn't do much cleanup of returns before selling, so wondering if the previous purchaser reset the counter.
-
Is there a way to complete erase all logs, etc.? Essentially bring the scope back to factory virgin configuration.
Why, whom are you trying to deceive ? :-//
Thanks for the Welcome! Not trying to deceive anyone, but I did buy an Amazon Warehouse deal returned/used SDS1104; came without factory packaging. Looks new, and upon bootup it came up with Startup Times as 1. However some of the sundries did look used. Amazon usually doesn't do much cleanup of returns before selling, so wondering if the previous purchaser reset the counter.
Interesting puzzle.
TBH it's quite fiddly to get probes and such back into their pouch so they look like new.
What matters is everything working as it should ?
-
Interesting puzzle.
TBH it's quite fiddly to get probes and such back into their pouch so they look like new.
What matters is everything working as it should ?
So far so good :). I knew I as poking the bear asking the question once I hit send, but had to ask. Bringing the scope up to latest images, I see the FPGA Version states 2021-11-8. Running software version 6.1.37R10. Looks like I'm good with latest code.
-
Hi,
How can I get my sds1102x-e's Scope-id ? Telnet spci command <SCOPEID?> returns nothing.
I need ScopeID and SN for generating key 200MHz.
Thank you !
-
Hi,
How can I get my sds1102x-e's Scope-id ? Telnet spci command <SCOPEID?> returns nothing.
I need ScopeID and SN for generating key 200MHz.
Thank you !
Do you mean 1104X-E?
Does it display "Command send success" in the response box?
Do you get a response from other queries such as "MENU?" It should respond with MENU ON or MENU OFF.
You are clicking on the blue box under the command box afterwards? My initial reaction was to press the enter key which, of course, doesn't work.
-
You are clicking on the blue box under the command box afterwards? My initial reaction was to press the enter key which, of course, doesn't work.
Mine is SDS1102X-C and converted to SDS1102X-E for full langugage support then now I want unlock it to 200MHz.
The response look like this ... SCOPEID? gave nothing. Others command are ok.
-
Mine is SDS1102X-C and converted to SDS1102X-E for full langugage support then now I want unlock it to 200MHz.
The response look like this ... SCOPEID? gave nothing. Others command are ok.
Syntax is incorrect.
Try SCOPE_ID?
-
Why not use web browser as everybody else ?
-
Why not use web browser as everybody else ?
2 channels series are not supported this function. Only for 4 chs.
-
]
Syntax is incorrect.
Try SCOPE_ID?
I wonder why with new firmware from 1.3.36 or 1.3.37 Telnet cannot open port to scope anymore.
I need re-up back to old fw for hacking then upgrade later.
-
Syntax is incorrect.
Try SCOPE_ID?
Thank you again, tautech !
follow this post, he said "SCOPEID?"
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828
follow this post, Othman he said "SCOPEID?" again and gave nothing
https://www.eevblog.com/forum/testgear/siglent-sds1102x-c-supported-languages-issue/msg4381981/#msg4381981
so I did the same thing and thought maybe something wrong or cannot get ID with this series... :phew:
Now I've unlocked successful and mine is SDS1202X-E with -C- hardware based :-DD
-
...You are clicking on the blue box under the command box afterwards? My initial reaction was to press the enter key which, of course, doesn't work.
Sorry. Should have read your post more closely. I assumed that you were using the web interface.
btw...scopeid? & scope_id? both work on the 1104X-E.
-
btw...scopeid? & scope_id? both work on the 1104X-E.
I've tried on EasyScope last night (2 channels is not supported Web sever).
Yes, scopeid? & scope_id? both worked !
But on Telnet only scope_id? ok.
As you see the pic I attached above, scopei? command returns none result.
-
Just for sharing python script method still working fine for a new SDS1104X-E. The process works fine. Latest firmare. also.
-
Just for sharing python script method still working fine for a new SDS1104X-E. The process works fine. Latest firmare. also.
Hello does the script method still work. Did Siglent block this exploit as of 2024.
-
Just for sharing python script method still working fine for a new SDS1104X-E. The process works fine. Latest firmare. also.
Hello does the script method still work. Did Siglent block this exploit as of 2024.
Why would they?
-
Hi. Sorry for the late reply.
Yes, for me it worked super smoothly, using the information shared along these posts (via python script and scopeid).
Firmware file (latest) => SDS1xx4X-E_6.1.35R2_EN.zip
Uboot-OS Version: 8.3
Hardware Version: 09-08
Product Type: SDS1104X-E
Also enabled and using Wifi dongle TL-WN725N V3, bought from local reseller for <6€
-
Another one Unlocked today. :-+
With special thanks to Martin72 for the guidance.
-
Is it safe to update the 4-channel SDS1xx4X-E to version 6.1.37R10 or will I lose unlocked features? Same question about OS: SDS1xx4X-E Operating System -V3. Is OS V3 required for 6.1.37R10? Many thanks in advance for answers.
-
Since the features were unlocked with valid license keys, the version update should not have any detrimental effect on them.